Data Source: Cisco Secure Firewall Threat Defense Connection Event

Date: 2025-05-22

ID: 18878597-8f8a-4bca-a805-bfbe35e00032

Author: Nasreddine Bencherchali, Splunk

Description

Data source object for raw connection events from Cisco Secure Firewall Threat Defense

Details

Property	Value
Source	`not_applicable`
Sourcetype	`cisco:sfw:estreamer`

Name ▲▼	Technique ▲▼	Type ▲▼
Cisco Secure Firewall - Bits Network Activity	None	Anomaly
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint	Code Signing Certificates, Digital Certificates, Web Protocols, Asymmetric Cryptography	TTP
Cisco Secure Firewall - Blocked Connection	Remote System Discovery, Network Service Discovery, Brute Force, Exploitation for Client Execution, Vulnerability Scanning	Anomaly
Cisco Secure Firewall - Communication Over Suspicious Ports	Remote Services, Process Injection, PowerShell, Ingress Tool Transfer, Remote Access Tools, Non-Standard Port	Anomaly
Cisco Secure Firewall - Connection to File Sharing Domain	Web Protocols, External Proxy, Ingress Tool Transfer, Exfiltration to Cloud Storage, Tool	Anomaly
Cisco Secure Firewall - High EVE Threat Confidence	Exfiltration Over C2 Channel, Web Protocols, Ingress Tool Transfer, Asymmetric Cryptography	Anomaly
Cisco Secure Firewall - Potential Data Exfiltration	Exfiltration Over C2 Channel, Exfiltration to Cloud Storage, Exfiltration Over Unencrypted Non-C2 Protocol	Anomaly
Cisco Secure Firewall - Remote Access Software Usage Traffic	Remote Access Tools	Anomaly
Cisco Secure Firewall - Repeated Blocked Connections	Remote System Discovery, Network Service Discovery, Brute Force, Exploitation for Client Execution, Vulnerability Scanning	Anomaly
Cisco Secure Firewall - Wget or Curl Download	Cron, Command and Scripting Interpreter, Web Protocols, Ingress Tool Transfer	Anomaly
Detect Outbound LDAP Traffic	Exploit Public-Facing Application, Command and Scripting Interpreter	Hunting
Detect Outbound SMB Traffic	File Transfer Protocols	TTP
Internal Horizontal Port Scan	Network Service Discovery	TTP
Internal Horizontal Port Scan NMAP Top 20	Network Service Discovery	TTP
Internal Vertical Port Scan	Network Service Discovery	TTP
Prohibited Network Traffic Allowed	Exfiltration Over Alternative Protocol	TTP
Protocol or Port Mismatch	Exfiltration Over Unencrypted Non-C2 Protocol	Anomaly
Protocols passing authentication in cleartext	None	Anomaly
TOR Traffic	Multi-hop Proxy	TTP

Supported Apps

Cisco Security Cloud (version 3.6.3)

Event Fields

+ Fields

  <span class="pill kill-chain">AC_RuleAction</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">Application</span>
  
  <span class="pill kill-chain">bytes_in</span>
  
  <span class="pill kill-chain">bytes_out</span>
  
  <span class="pill kill-chain">ClientAppDetector</span>
  
  <span class="pill kill-chain">ClientApplication</span>
  
  <span class="pill kill-chain">connection_id</span>
  
  <span class="pill kill-chain">ConnectionDuration</span>
  
  <span class="pill kill-chain">ConnectionID</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_interface</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">dest_zone</span>
  
  <span class="pill kill-chain">device_id</span>
  
  <span class="pill kill-chain">DeviceUUID</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">EgressInterface</span>
  
  <span class="pill kill-chain">EgressVRF</span>
  
  <span class="pill kill-chain">EgressZone</span>
  
  <span class="pill kill-chain">EVE_Fingerprint</span>
  
  <span class="pill kill-chain">EVE_Process</span>
  
  <span class="pill kill-chain">EVE_ProcessConfidencePct</span>
  
  <span class="pill kill-chain">EVE_ThreatConfidenceIndex</span>
  
  <span class="pill kill-chain">EVE_ThreatConfidencePct</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">EventType</span>
  
  <span class="pill kill-chain">FirewallPolicy</span>
  
  <span class="pill kill-chain">FirewallRule</span>
  
  <span class="pill kill-chain">FirstPacketSecond</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">IngressInterface</span>
  
  <span class="pill kill-chain">IngressVRF</span>
  
  <span class="pill kill-chain">IngressZone</span>
  
  <span class="pill kill-chain">InitiatorBytes</span>
  
  <span class="pill kill-chain">InitiatorIP</span>
  
  <span class="pill kill-chain">InitiatorPackets</span>
  
  <span class="pill kill-chain">InitiatorPort</span>
  
  <span class="pill kill-chain">instance_id</span>
  
  <span class="pill kill-chain">InstanceID</span>
  
  <span class="pill kill-chain">LastPacketSecond</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">NAP_Policy</span>
  
  <span class="pill kill-chain">NAT_InitiatorIP</span>
  
  <span class="pill kill-chain">NAT_InitiatorPort</span>
  
  <span class="pill kill-chain">NAT_ResponderIP</span>
  
  <span class="pill kill-chain">NAT_ResponderPort</span>
  
  <span class="pill kill-chain">packets_in</span>
  
  <span class="pill kill-chain">packets_out</span>
  
  <span class="pill kill-chain">PrefilterPolicy</span>
  
  <span class="pill kill-chain">Protocol</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">ResponderBytes</span>
  
  <span class="pill kill-chain">ResponderIP</span>
  
  <span class="pill kill-chain">ResponderPackets</span>
  
  <span class="pill kill-chain">ResponderPort</span>
  
  <span class="pill kill-chain">rule</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src_interface</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">src_zone</span>
  
  <span class="pill kill-chain">SSL_ActualAction</span>
  
  <span class="pill kill-chain">SSL_CertFingerprint</span>
  
  <span class="pill kill-chain">SSL_CipherSuite</span>
  
  <span class="pill kill-chain">SSL_ExpectedAction</span>
  
  <span class="pill kill-chain">SSL_FlowStatus</span>
  
  <span class="pill kill-chain">ssl_hash</span>
  
  <span class="pill kill-chain">ssl_policies</span>
  
  <span class="pill kill-chain">SSL_Policy</span>
  
  <span class="pill kill-chain">SSL_ServerCertStatus</span>
  
  <span class="pill kill-chain">ssl_signature_algorithm</span>
  
  <span class="pill kill-chain">ssl_version</span>
  
  <span class="pill kill-chain">SSL_Version</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">transport</span>
  
  <span class="pill kill-chain">url</span>
  
  <span class="pill kill-chain">URL</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">WebApplication</span>
  
</div>

Example Log

1{"EventType":"ConnectionEvent", "FirstPacketSecond":1743500734, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "ConnectionID":259, "AC_RuleAction":"Block", "InitiatorIP":"172.16.3.110", "ResponderIP":"142.250.191.196", "InitiatorPort":62296, "ResponderPort":443, "Protocol":"tcp", "IngressInterface":"inside", "EgressInterface":"outside", "IngressZone":"inside", "EgressZone":"outside", "IngressVRF":"Global", "EgressVRF":"Global", "FirewallPolicy":"default", "FirewallRule":"NasBlock", "PrefilterPolicy":"Default Prefilter Policy", "ClientApplication":"Firefox", "Application":"HTTPS", "WebApplication":"Google", "InitiatorPackets":3, "ResponderPackets":1, "InitiatorBytes":840, "ResponderBytes":66, "NAP_Policy":"Balanced Security and Connectivity", "SSL_Policy":"None", "SSL_FlowStatus":"Success", "SSL_CipherSuite":"Unknown", "SSL_CertFingerprint":"2fcc05c514c4cda4260531f967407cd33974340c", "SSL_Version":"Unknown", "SSL_ServerCertStatus":"Not Checked", "SSL_ActualAction":"Do Not Decrypt", "SSL_ExpectedAction":"Do Not Decrypt", "URL":"https://www.google.com", "NAT_InitiatorPort":62296, "NAT_ResponderPort":443, "NAT_InitiatorIP":"172.16.2.10", "NAT_ResponderIP":"142.250.191.196", "EVE_Fingerprint":"tls/1/(0303)(130113031302c02bc02fcca9cca8c02cc030c00ac009c013c014009c009d002f0035)[(0000)(000500050100000000)(000a000e000c001d00170018001901000101)(000b00020100)(000d0018001604030503060308040805080604010501060102030201)(0010000e000c02683208687474702f312e31)(0012)(0017)(001c00024001)(0022)(0023)(002b00050403040303)(002d00020101)(0033)(fe0d)(ff01)]", "EVE_Process":"firefox browser", "EVE_ProcessConfidencePct":100, "EVE_ThreatConfidencePct":0, "EVE_ThreatConfidenceIndex":1, "ClientAppDetector":"Encrypted Visibility"}

Required Output Fields

src
dest
dest_port
transport
rule
action

Source: GitHub | Version: 2