This analytic rule, titled 'Cisco Secure Firewall - Intrusion Events by Threat Activity', is designed to detect intrusion events that arise from known threat activity by analyzing logs generated by Cisco Secure Firewall's Intrusion Defense system. It operates by examining IntrusionEvent logs, looking for triggered Snort signatures that have been mapped to known threat actors and techniques via a lookup table. Specifically, the rule checks for instances where one or multiple Snort signatures associated with a particular threat actor are triggered within a defined one-hour time frame. When the number of unique signatures matches or exceeds the anticipated threshold for that threat technique, an alert is generated. This capability aims to help security teams monitor and identify potentially coordinated threat activities within their network, based on correlated intrusion events happening in close temporal proximity. The implementation requires configuring appropriate environment settings and ensuring that the Cisco Secure Firewall Threat Defense logs are properly ingested into the SIEM system, alongside maintaining an updated mapping file.