Analytics Story: Cisco Secure Firewall Threat Defense Analytics
Description
This analytic story provides a suite of detections built to analyze network traffic logs from Cisco Secure Firewall Threat Defense (FTD) appliances. The included analytics focus on uncovering suspicious and potentially malicious behavior such as data exfiltration, encrypted command and control (C2) activity, unauthorized tool downloads, repeated connection attempts to blocked destinations, and traffic involving suspicious SSL certificates or file sharing services. These detections help security teams identify threats that may be missed by traditional rule-based approaches, offering deeper insight into encrypted sessions, protocol misuse, and adversary abuse of legitimate services.
Why it matters
Cisco Secure Firewall Threat Defense is a next-generation firewall platform that provides deep visibility into network activity, including rich telemetry such as connection metadata, application identification, and encrypted traffic analysis through the Encrypted Visibility Engine (EVE). This analytic story leverages that visibility to detect behaviors commonly associated with advanced threats and adversary techniques across multiple ATT&CK tactics, including Command and Control, Exfiltration, Execution, and Discovery.
Correlation Search
Cisco Privileged Account Creation with Suspicious SSH Activity
1| tstats `security_content_summariesonly`
2 min(_time) as firstTime
3 max(_time) as lastTime
4
5 sum(All_Risk.calculated_risk_score) as risk_score
6 count(All_Risk.calculated_risk_score) as risk_event_count
7
8 values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id
9 dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count
10
11 values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id
12 dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count
13
14 values(All_Risk.tag) as tag
15 values(source) as source
16 dc(source) as source_count
17
18 values(contributing_events_search)
19
20 values(All_Risk.threat_object)
21
22 from datamodel=Risk.All_Risk where
23
24 source IN (
25 "*Cisco IOS Suspicious Privileged Account Creation*",
26 "*Cisco Secure Firewall - SSH Connection to sshd_operns*",
27 "*Cisco Secure Firewall - SSH Connection to Non-Standard Port*"
28 )
29 by All_Risk.normalized_risk_object
30| `drop_dm_object_name(All_Risk)`
31| eval has_account_creation=if(
32 match(source, "Cisco IOS Suspicious Privileged Account Creation"),
33 1, 0
34 )
35| eval has_ssh_detection=if(
36 match(source, "SSH Connection to sshd_operns")
37 OR
38 match(source, "SSH Connection to Non-Standard Port"),
39 1, 0
40 )
41| where has_account_creation=1
42 AND
43 has_ssh_detection=1
44| `security_content_ctime(firstTime)`
45| `security_content_ctime(lastTime)`
46| `cisco_privileged_account_creation_with_suspicious_ssh_activity_filter`
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS CloudWatchLogs VPCflow |  AWS |
aws:cloudwatchlogs:vpcflow |
aws_cloudwatchlogs_vpcflow |
| Cisco Secure Firewall Threat Defense Connection Event | Other | cisco:sfw:estreamer |
not_applicable |
| Cisco Secure Firewall Threat Defense File Event | Other | cisco:sfw:estreamer |
not_applicable |
| Cisco Secure Firewall Threat Defense Intrusion Event | Other | cisco:sfw:estreamer |
not_applicable |
| Palo Alto Network Traffic |  Network |
pan:traffic |
screenconnect_palo_traffic |
References
Source: GitHub | Version: 1