Cisco Secure Firewall - Possibly Compromised Host

name: Cisco Secure Firewall - Possibly Compromised Host
id: 244a77bb-3b2a-46f1-bf2c-b4f7cd29276d
version: 6
date: '2026-03-10'
author: Nasreddine Bencherchali, Splunk
status: experimental
type: Anomaly
description: |
    The following analytic highlights high-impact intrusion events assigned by Cisco Secure Firewall.
    This detection leverages Cisco Secure Firewall Threat Defense logs and specifically the IntrusionEvent event type and `Impact` field assigned by Cisco Secure Firewall looking for an impact score of 1 or 2. If confirmed malicious this may indicate a potential compromised host.
data_source:
    - Cisco Secure Firewall Threat Defense Intrusion Event
search: |
    `cisco_secure_firewall` EventType=IntrusionEvent Impact IN (1,2)
    | stats count as TotalDetections values(signature_id) as signature_id
            values(signature) as signature
            values(rule) as rule
            min(_time) as firstTime max(_time) as lastTime
            by src dest dest_port transport Impact app impact_desc class_desc MitreAttackGroups InlineResult InlineResultReason
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `cisco_secure_firewall___possibly_compromised_host_filter`
how_to_implement: |
    This search requires Cisco Secure Firewall Threat Defense Logs, which
    includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
    We strongly recommend that you specify your environment-specific configurations
    (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
    with configurations for your Splunk environment. The search also uses a post-filter
    macro designed to filter out known false positives.
    The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
    The intrusion access policy must also be configured.
known_false_positives: False positives are directly related to their snort rules triggering and the firewall scoring. Apply additional filters if the rules are too noisy by disabling them or simply ignoring certain IP ranges that trigger it.
references:
    - https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf
drilldown_searches:
    - name: View the detection results for - "$src$"
      search: '%original_detection_search% | search  src = "$src$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A high impact IntrusionEvent was detected from $src$ to $dest$.
    risk_objects:
        - field: src
          type: system
          score: 20
    threat_objects:
        - field: signature
          type: signature
tags:
    analytic_story:
        - Cisco Secure Firewall Threat Defense Analytics
    asset_type: Network
    security_domain: network
    mitre_attack_id:
        - T1203
        - T1059
        - T1587.001
    product:
        - Splunk Enterprise
        - Splunk Cloud
        - Splunk Enterprise Security