Analytics Story: Cisco Secure Firewall Threat Defense Analytics
Description
This analytic story provides a suite of detections built to analyze network traffic logs from Cisco Secure Firewall Threat Defense (FTD) appliances.
The included analytics focus on uncovering suspicious and potentially malicious behavior such as data exfiltration, encrypted command and control (C2) activity, unauthorized tool downloads, repeated connection attempts to blocked destinations, and traffic involving suspicious SSL certificates or file sharing services.
These detections help security teams identify threats that may be missed by traditional rule-based approaches, offering deeper insight into encrypted sessions, protocol misuse, and adversary abuse of legitimate services.
Why it matters
Cisco Secure Firewall Threat Defense is a next-generation firewall platform that provides deep visibility into network activity, including rich telemetry such as connection metadata, application identification, and encrypted traffic analysis through the Encrypted Visibility Engine (EVE).
This analytic story leverages that visibility to detect behaviors commonly associated with advanced threats and adversary techniques across multiple ATT&CK tactics, including Command and Control, Exfiltration, Execution, and Discovery.
Correlation Search
Cisco Privileged Account Creation with HTTP Command Execution
1| tstats `security_content_summariesonly`
2 min(_time) as firstTime
3 max(_time) as lastTime
4 sum(All_Risk.calculated_risk_score) as risk_score
5 count(All_Risk.calculated_risk_score) as risk_event_count
6
7 values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id
8 dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count
9
10 values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id
11 dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count
12
13 values(All_Risk.tag) as tag
14 values(source) as source
15 dc(source) as source_count
16
17 values(contributing_events_search)
18
19 values(All_Risk.threat_object)
20
21 from datamodel=Risk.All_Risk where
22
23 source IN (
24 "*Cisco IOS Suspicious Privileged Account Creation*",
25 "*Cisco Secure Firewall - Privileged Command Execution via HTTP*"
26 )
27 by All_Risk.normalized_risk_object
28| `drop_dm_object_name(All_Risk)`
29| `security_content_ctime(firstTime)`
30| `security_content_ctime(lastTime)`
31| where source_count >= 2
32| `cisco_privileged_account_creation_with_http_command_execution_filter`
Detections
| Name ▲▼ |
Technique ▲▼ |
Type ▲▼ |
| Cisco Secure Firewall - Communication Over Suspicious Ports |
Remote Services, Process Injection, PowerShell, Ingress Tool Transfer, Remote Access Tools, Non-Standard Port |
Anomaly |
| Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts |
Obfuscated Files or Information, Ingress Tool Transfer |
Anomaly |
| Cisco Secure Firewall - High Volume of Intrusion Events Per Host |
Command and Scripting Interpreter, Application Layer Protocol, Vulnerability Scanning |
Anomaly |
| Cisco Secure Firewall - Blocked Connection |
Remote System Discovery, Network Service Discovery, Brute Force, Exploitation for Client Execution, Vulnerability Scanning |
Anomaly |
| Internal Horizontal Port Scan |
Network Service Discovery |
TTP |
| Protocol or Port Mismatch |
Exfiltration Over Unencrypted Non-C2 Protocol |
Anomaly |
| TOR Traffic |
Multi-hop Proxy |
TTP |
| Prohibited Network Traffic Allowed |
Exfiltration Over Alternative Protocol |
TTP |
| Cisco Secure Firewall - SSH Connection to sshd_operns |
SSH |
Anomaly |
| Cisco Secure Firewall - Potential Data Exfiltration |
Exfiltration Over C2 Channel, Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration to Cloud Storage |
Anomaly |
| Cisco Secure Firewall - Connection to File Sharing Domain |
Web Protocols, External Proxy, Ingress Tool Transfer, Exfiltration to Cloud Storage, Tool |
Anomaly |
| Cisco Secure Firewall - High Priority Intrusion Classification |
OS Credential Dumping, Application Layer Protocol, Valid Accounts, Exploit Public-Facing Application, Exploitation for Client Execution |
TTP |
| Cisco Secure Firewall - Static Tundra Smart Install Abuse |
Exploit Public-Facing Application, Exploitation of Remote Services, Endpoint Denial of Service |
TTP |
| Internal Vertical Port Scan |
Network Service Discovery |
TTP |
| Protocols passing authentication in cleartext |
None |
Anomaly |
| Cisco Secure Firewall - Privileged Command Execution via HTTP |
Command and Scripting Interpreter, Web Shell |
Anomaly |
| Internal Horizontal Port Scan NMAP Top 20 |
Network Service Discovery |
TTP |
| Cisco Secure Firewall - High EVE Threat Confidence |
Exfiltration Over C2 Channel, Web Protocols, Ingress Tool Transfer, Asymmetric Cryptography |
Anomaly |
| Detect Outbound SMB Traffic |
File Transfer Protocols |
TTP |
| Cisco Secure Firewall - Repeated Blocked Connections |
Remote System Discovery, Network Service Discovery, Brute Force, Exploitation for Client Execution, Vulnerability Scanning |
Anomaly |
| Detect Outbound LDAP Traffic |
Command and Scripting Interpreter, Exploit Public-Facing Application |
Hunting |
| Cisco Secure Firewall - Oracle E-Business Suite Exploitation |
Exploit Public-Facing Application |
TTP |
| Cisco Secure Firewall - Oracle E-Business Suite Correlation |
Exploit Public-Facing Application |
TTP |
| Cisco Secure Firewall - Repeated Malware Downloads |
Obfuscated Files or Information, Ingress Tool Transfer |
Anomaly |
| Cisco Secure Firewall - Wget or Curl Download |
Cron, Command and Scripting Interpreter, Web Protocols, Ingress Tool Transfer |
Anomaly |
| Cisco Secure Firewall - Possibly Compromised Host |
Command and Scripting Interpreter, Exploitation for Client Execution, Malware |
Anomaly |
| Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint |
Web Protocols, Asymmetric Cryptography, Code Signing Certificates, Digital Certificates |
TTP |
| Cisco Secure Firewall - Rare Snort Rule Triggered |
Web Services, Phishing for Information |
Hunting |
| Cisco Secure Firewall - Lumma Stealer Download Attempt |
Exfiltration Over C2 Channel, Asymmetric Cryptography |
Anomaly |
| Cisco Secure Firewall - Lumma Stealer Activity |
Obfuscated Files or Information, Exploit Public-Facing Application, User Execution, Exploitation of Remote Services |
TTP |
| Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt |
Command and Scripting Interpreter, Exploitation for Client Execution |
TTP |
| Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity |
LSASS Memory, PowerShell, Exploit Public-Facing Application, Exploitation of Remote Services |
TTP |
| Cisco Secure Firewall - Bits Network Activity |
None |
Anomaly |
| Cisco Secure Firewall - Malware File Downloaded |
Ingress Tool Transfer, Exploitation for Client Execution |
Anomaly |
| Cisco Secure Firewall - Binary File Type Download |
Command and Scripting Interpreter, Exploitation for Client Execution |
Anomaly |
| Cisco Secure Firewall - SSH Connection to Non-Standard Port |
SSH |
Anomaly |
| Cisco Secure Firewall - File Download Over Uncommon Port |
Ingress Tool Transfer, Non-Standard Port |
Anomaly |
| Cisco Secure Firewall - Remote Access Software Usage Traffic |
Remote Access Tools |
Anomaly |
| Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt |
Exfiltration Over C2 Channel, Asymmetric Cryptography |
Anomaly |
| Cisco Secure Firewall - Intrusion Events by Threat Activity |
Exfiltration Over C2 Channel, Asymmetric Cryptography |
Anomaly |
Data Sources
References
Source: GitHub | Version: 2
AWS
Network