|
Prohibited Network Traffic Allowed
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1048
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Command And Control, Ransomware, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
3CX Supply Chain Attack Network Indicators
|
Sysmon EventID 22
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2026-05-13
|
|
Windows Multi hop Proxy TOR Website Query
|
Sysmon EventID 22
|
T1071.003
|
Anomaly
|
Interlock Ransomware, AgentTesla
|
2026-05-13
|
|
Cisco Secure Firewall - Oracle E-Business Suite Correlation
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
Oracle E-Business Suite Exploitation, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Internal Horizontal Port Scan NMAP Top 20
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery
|
2026-05-13
|
|
HTTP RMM User Agent
|
Suricata
|
T1071.001
T1219
|
Anomaly
|
Suspicious User Agents, Remote Monitoring and Management Software
|
2026-05-13
|
|
Windows Remote Desktop Network Bruteforce Attempt
|
Sysmon EventID 3, Cisco Secure Access Firewall
|
T1110.001
|
Anomaly
|
SamSam Ransomware, Windows RDP Artifacts and Defense Evasion, Cisco Secure Access Analytics, Ryuk Ransomware, Compromised User Account
|
2026-05-13
|
|
HTTP Malware User Agent
|
Suricata
|
T1071.001
|
TTP
|
Lokibot, Crypto Stealer, Meduza Stealer, Suspicious User Agents, Lumma Stealer, RedLine Stealer
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
DNS Query Length With High Standard Deviation
|
Sysmon EventID 22
|
T1048.003
|
Anomaly
|
Command And Control, Suspicious DNS Traffic, Hidden Cobra Malware
|
2026-05-13
|
|
Cisco SA - Automated Web Reconnaissance via HTTP Access Errors
|
Cisco Secure Access Proxy
|
T1595
|
Anomaly
|
Cisco Secure Access Analytics
|
2026-06-09
|
|
Wermgr Process Connecting To IP Check Web Services
|
Sysmon EventID 22
|
T1590.005
|
TTP
|
Trickbot
|
2026-05-13
|
|
Cisco SD-WAN - Peering Activity
|
Cisco SD-WAN NTCE 1000001
|
T1190
|
Hunting
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Bits Network Activity
|
Cisco Secure Firewall Threat Defense Connection Event
|
N/A
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Remote Desktop Network Traffic
|
Zeek Conn
|
T1021.001
|
Anomaly
|
SamSam Ransomware, Windows RDP Artifacts and Defense Evasion, Hidden Cobra Malware, Ryuk Ransomware, Active Directory Lateral Movement
|
2026-05-13
|
|
Cisco Privileged Account Creation with HTTP Command Execution
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
HTTP C2 Framework User Agent
|
Suricata
|
T1071.001
|
TTP
|
Malicious PowerShell, Brute Ratel C4, Cobalt Strike, Spearphishing Attachments, BishopFox Sliver Adversary Emulation Framework, Suspicious User Agents, Tuoni, Meterpreter
|
2026-05-13
|
|
Detect Remote Access Software Usage DNS
|
Sysmon EventID 22
|
T1219
|
Anomaly
|
Command And Control, Ransomware, Remote Monitoring and Management Software, Scattered Spider, CISA AA24-241A, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco Secure Firewall - Blocked Connection
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Large ICMP Traffic
|
Palo Alto Network Traffic, Cisco Secure Access Firewall
|
T1095
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Access Analytics, Command And Control, Backdoor Pingpong
|
2026-05-13
|
|
Cisco Secure Firewall - Privileged Command Execution via HTTP
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1505.003
|
Anomaly
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
HTTP PUA User Agent
|
Suricata
|
T1071.001
|
Anomaly
|
Suspicious User Agents, Local Privilege Escalation With KrbRelayUp, BlackSuit Ransomware, Cactus Ransomware
|
2026-05-13
|
|
Cisco Secure Firewall - React Server Components RCE Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
React2Shell
|
2026-05-13
|
|
Cisco Secure Firewall - Intrusion Events by Threat Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, ArcaneDoor
|
2026-05-13
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1021
T1055
T1059.001
T1105
T1219
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect DNS Query to Decommissioned S3 Bucket
|
Sysmon EventID 22
|
T1485
|
Anomaly
|
AWS S3 Bucket Security Monitoring, Data Destruction
|
2026-05-13
|
|
Detect ARP Poisoning
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Internal Horizontal Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Blocked Connections
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1018
T1046
T1110
T1203
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Smart Install Oversized Packet Detection
|
Splunk Stream TCP
|
T1190
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Smart Install Port Discovery and Status
|
Splunk Stream TCP
|
T1190
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco Secure Firewall - Potential Data Exfiltration
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1041
T1048.003
T1567.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
TOR Traffic
|
Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event
|
T1090.003
|
TTP
|
Command And Control, Ransomware, Cisco Secure Firewall Threat Defense Analytics, Interlock Ransomware, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Cisco TFTP Server Configuration for Data Exfiltration
|
Cisco IOS Logs
|
T1005
T1567
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Zeek x509 Certificate with Punycode
|
|
T1573
|
Hunting
|
OpenSSL CVE-2022-3602
|
2026-05-13
|
|
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity
|
Cisco SD-WAN Service Proxy Access Logs
|
T1190
|
TTP
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
SSL Certificates with Punycode
|
|
T1573
|
Hunting
|
OpenSSL CVE-2022-3602
|
2026-05-13
|
|
Detect Software Download To Network Device
|
|
T1542.005
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Cisco SD-WAN - Low Frequency Rogue Peer
|
Cisco SD-WAN NTCE 1000001
|
T1190
|
Anomaly
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
Detect Zerologon via Zeek
|
|
T1190
|
TTP
|
Detect Zerologon Attack, Rhysida Ransomware, Black Basta Ransomware
|
2026-05-13
|
|
Detect SNICat SNI Exfiltration
|
|
T1041
|
TTP
|
Data Exfiltration
|
2026-05-13
|
|
Cisco Secure Firewall - Remote Access Software Usage Traffic
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1219
|
Anomaly
|
Command And Control, Ransomware, Remote Monitoring and Management Software, Scattered Spider, Cisco Secure Firewall Threat Defense Analytics, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Protocols passing authentication in cleartext
|
Cisco Secure Firewall Threat Defense Connection Event
|
N/A
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Use of Cleartext Protocols
|
2026-05-13
|
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
T1133
T1190
|
TTP
|
F5 BIG-IP Vulnerability CVE-2022-1388, CISA AA24-241A
|
2026-05-13
|
|
Cisco Secure Firewall - Malware File Downloaded
|
Cisco Secure Firewall Threat Defense File Event
|
T1105
T1203
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Internal Vulnerability Scan
|
|
T1046
T1595.002
|
TTP
|
Scattered Lapsus$ Hunters, Network Discovery
|
2026-05-13
|
|
Windows DNS Query Request by Telegram Bot API
|
Sysmon EventID 22
|
T1071.004
T1102.002
|
Anomaly
|
Crypto Stealer, 0bj3ctivity Stealer, VIP Keylogger, BlankGrabber Stealer
|
2026-05-13
|
|
Cisco Secure Firewall - Static Tundra Smart Install Abuse
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
T1210
T1499
|
TTP
|
Cisco Smart Install Remote Code Execution CVE-2018-0171, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
T1059.005
|
Anomaly
|
Cactus Ransomware, PXA Stealer, BlankGrabber Stealer, Data Destruction, WhisperGate
|
2026-05-13
|
|
Cisco Configuration Archive Logging Analysis
|
Cisco IOS Logs
|
T1098
T1505.003
T1685
|
Hunting
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1071.001
T1573.002
T1587.002
T1588.004
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Rundll32 DNSQuery
|
Sysmon EventID 22
|
T1218.011
|
TTP
|
Living Off The Land, IcedID
|
2026-05-13
|
|
Detect Remote Access Software Usage Traffic
|
Palo Alto Network Traffic
|
T1219
|
Anomaly
|
Command And Control, Scattered Spider, Ransomware, Remote Monitoring and Management Software, Interlock Ransomware, Insider Threat, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics, Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
|
2026-05-13
|
|
Cisco Privileged Account Creation with Suspicious SSH Activity
|
|
T1021.004
T1078
T1136
|
Correlation
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Rogue DHCP Server
|
Cisco IOS Logs
|
T1200
T1498
T1557
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Download Attempt
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1041
T1573.002
|
Anomaly
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - High Priority Intrusion Classification
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003
T1071
T1078
T1190
T1203
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Rare Snort Rule Triggered
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1583.006
T1598
|
Hunting
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Windows Gather Victim Network Info Through Ip Check Web Services
|
Sysmon EventID 22
|
T1590.005
|
Anomaly
|
VIP Keylogger, DarkCrystal RAT, Castle RAT, Water Gamayun, 0bj3ctivity Stealer, Meduza Stealer, Azorult, PXA Stealer, Snake Keylogger, Handala Wiper, Quasar RAT, BlankGrabber Stealer, Phemedrone Stealer, Void Manticore
|
2026-05-13
|
|
Internal Vertical Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
T1046
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery
|
2026-05-13
|
|
Cisco IOS Suspicious Privileged Account Creation
|
Cisco IOS Logs
|
T1078
T1136
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
T1059.005
|
TTP
|
Malicious Inno Setup Loader, Remcos, Cactus Ransomware, Braodo Stealer, Meduza Stealer, PXA Stealer, Snake Keylogger, Data Destruction, BlankGrabber Stealer, WhisperGate, Phemedrone Stealer, RedLine Stealer
|
2026-05-13
|
|
Cisco Secure Firewall - High EVE Threat Confidence
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1041
T1071.001
T1105
T1573.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Repeated Malware Downloads
|
Cisco Secure Firewall Threat Defense File Event
|
T1027
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware
|
2026-05-13
|
|
Windows AD Replication Service Traffic
|
|
T1003.006
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Cisco Secure Firewall - SSH Connection to Non-Standard Port
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1021.004
|
Anomaly
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Windows AD Rogue Domain Controller Network Activity
|
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2026-05-13
|
|
Cisco Network Interface Modifications
|
Cisco IOS Logs
|
T1021
T1133
T1556
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Secure Firewall - Wget or Curl Download
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1053.003
T1059
T1071.001
T1105
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Windows Abused Web Services
|
Sysmon EventID 22
|
T1102
|
Anomaly
|
Malicious Inno Setup Loader, NjRAT, BlankGrabber Stealer, CISA AA24-241A
|
2026-05-13
|
|
Detect Port Security Violation
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
Large Volume of DNS ANY Queries
|
|
T1498.002
|
Anomaly
|
DNS Amplification Attacks
|
2026-05-13
|
|
Ngrok Reverse Proxy on Network
|
Sysmon EventID 22
|
T1090
T1102
T1572
|
Anomaly
|
CISA AA22-320A, Reverse Network Proxy, CISA AA24-241A
|
2026-05-13
|
|
Detect Windows DNS SIGRed via Zeek
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-05-13
|
|
Detect hosts connecting to dynamic domain providers
|
Sysmon EventID 22
|
T1189
|
TTP
|
Command And Control, Data Protection, DNS Hijacking, Suspicious DNS Traffic, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Cisco Secure Firewall - File Download Over Uncommon Port
|
Cisco Secure Firewall Threat Defense File Event
|
T1105
T1571
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1003.001
T1059.001
T1190
T1210
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Protocol or Port Mismatch
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1048.003
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Command And Control, Prohibited Traffic Allowed or Protocol Mismatch
|
2026-05-13
|
|
Detect Outbound SMB Traffic
|
Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event
|
T1071.002
|
TTP
|
DHS Report TA18-074A, Cisco Secure Access Analytics, Cisco Secure Firewall Threat Defense Analytics, Hidden Cobra Malware, NOBELIUM Group
|
2026-05-13
|
|
Detect Unauthorized Assets by MAC address
|
|
N/A
|
TTP
|
Asset Tracking
|
2026-05-13
|
|
Cisco Secure Firewall - Oracle E-Business Suite Exploitation
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1190
|
TTP
|
Oracle E-Business Suite Exploitation, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Binary File Type Download
|
Cisco Secure Firewall Threat Defense File Event
|
T1059
T1203
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect Traffic Mirroring
|
Cisco IOS Logs
|
T1020.001
T1200
T1498
|
TTP
|
Router and Infrastructure Security
|
2026-05-13
|
|
DNS Kerberos Coercion
|
Suricata, Sysmon EventID 22
|
T1071.004
T1187
T1557.001
|
TTP
|
Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic
|
2026-05-13
|
|
Cisco Secure Firewall - Possibly Compromised Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1203
T1587.001
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - Connection to File Sharing Domain
|
Cisco Secure Firewall Threat Defense Connection Event
|
T1071.001
T1090.002
T1105
T1567.002
T1588.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Excessive DNS Failures
|
|
T1071.004
|
Anomaly
|
Command And Control, Suspicious DNS Traffic
|
2026-05-13
|
|
Cisco SNMP Community String Configuration Changes
|
Cisco IOS Logs
|
T1040
T1552
T1685
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2026-05-13
|
|
Cisco Secure Firewall - Lumma Stealer Activity
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1027
T1190
T1204
T1210
|
TTP
|
Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Windows Spearphishing Attachment Connect To None MS Office Domain
|
Sysmon EventID 22
|
T1566.001
|
Hunting
|
AsyncRAT, MuddyWater, Spearphishing Attachments
|
2026-05-13
|
|
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity
|
Cisco SD-WAN Service Proxy Access Logs
|
T1595
|
Hunting
|
Cisco Catalyst SD-WAN Analytics
|
2026-05-13
|
|
SMB Traffic Spike
|
|
T1021.002
|
Anomaly
|
Emotet Malware DHS Report TA18-201A, DHS Report TA18-074A, Ransomware, Hidden Cobra Malware
|
2026-05-13
|
|
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1059
T1071
T1595.002
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
|
Detect IPv6 Network Infrastructure Threats
|
Cisco IOS Logs
|
T1200
T1498
T1557.002
|
TTP
|
Router and Infrastructure Security, Scattered Lapsus$ Hunters
|
2026-05-13
|
|
Hosts receiving high volume of network traffic from email server
|
|
T1114.002
|
Anomaly
|
Collection and Staging
|
2026-05-13
|
|
Cisco SA - Access to Anonymizer Services
|
Cisco Secure Access DNS
|
T1090.003
|
Anomaly
|
Cisco Secure Access Analytics
|
2026-06-09
|
|
Detect Windows DNS SIGRed via Splunk Stream
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2026-05-13
|
|
Detect Outbound LDAP Traffic
|
Palo Alto Network Traffic, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event
|
T1059
T1190
|
Hunting
|
Log4Shell CVE-2021-44228, Cisco Secure Firewall Threat Defense Analytics, Cisco Secure Access Analytics
|
2026-05-13
|
|
Cisco Secure Firewall - SSH Connection to sshd_operns
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
T1021.004
|
Anomaly
|
Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics
|
2026-05-13
|
