splunk_escuAnomaly

Cisco Secure Firewall - Malware File Downloaded

The following analytic detects file downloads that were classified as malware by Cisco Secure Firewall Threat Defense. It relies on the `SHA_Disposition` field with a value of "Malware" and includes metadata such as file name, file_hash hash, and threat classification. This analytic is critical for surfacing file-based threats that are identified via Cisco's AMP or Threat Grid integrations. If confirmed malicious, this could indicate delivery of malware.

MITRE ATT&CK

T1203 T1105

Detection Query

`cisco_secure_firewall` EventType=FileEvent SHA_Disposition="Malware" FileDirection="Download"
| lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description
| stats count min(_time) as firstTime max(_time) as lastTime
        values(uri) as uri
        values(ClientApplication) as ClientApplication
        values(file_hash) as file_hash
        by FileDirection dest src dest_port FileType app file_name ThreatName Description
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime src dest dest_port FileDirection FileType Description uri file_name file_hash app ClientApplication ThreatName SHA_Disposition
| `cisco_secure_firewall___malware_file_downloaded_filter`

Author

Nasreddine Bencherchali, Splunk

Created

2026-03-10

Data Sources

Cisco Secure Firewall Threat Defense File Event

References

https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf

Tags

Cisco Secure Firewall Threat Defense Analytics

Raw Content

name: Cisco Secure Firewall - Malware File Downloaded
id: 3cc93f52-5aa6-4b7f-83b9-3430b1436813
version: 6
date: '2026-03-10'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
description: |
    The following analytic detects file downloads that were classified as malware by Cisco Secure Firewall Threat Defense. It relies on the `SHA_Disposition` field with a value of "Malware" and includes metadata such as file name, file_hash hash, and threat classification. This analytic is critical for surfacing file-based threats that are identified via Cisco's AMP or Threat Grid integrations. If confirmed malicious, this could indicate delivery of malware.
data_source:
    - Cisco Secure Firewall Threat Defense File Event
search: |
    `cisco_secure_firewall` EventType=FileEvent SHA_Disposition="Malware" FileDirection="Download"
    | lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description
    | stats count min(_time) as firstTime max(_time) as lastTime
            values(uri) as uri
            values(ClientApplication) as ClientApplication
            values(file_hash) as file_hash
            by FileDirection dest src dest_port FileType app file_name ThreatName Description
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | table firstTime lastTime src dest dest_port FileDirection FileType Description uri file_name file_hash app ClientApplication ThreatName SHA_Disposition
    | `cisco_secure_firewall___malware_file_downloaded_filter`
how_to_implement: |
    This search requires Cisco Secure Firewall Threat Defense Logs, which
    includes the FileEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
    We strongly recommend that you specify your environment-specific configurations
    (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
    with configurations for your Splunk environment. The search also uses a post-filter
    macro designed to filter out known false positives.
    The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
    The malware & file access policy must also enable logging.
known_false_positives: Malicious verdicts could be outdated or incorrect due to retroactive threat intel.
references:
    - https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf
drilldown_searches:
    - name: View the detection results for - "$src$"
      search: '%original_detection_search% | search  src = "$src$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: File with Malware disposition downloaded from $dest$ over port $dest_port$ by $src$
    risk_objects:
        - field: src
          type: system
          score: 20
    threat_objects:
        - field: file_name
          type: file_name
        - field: file_hash
          type: file_hash
tags:
    analytic_story:
        - Cisco Secure Firewall Threat Defense Analytics
    asset_type: Endpoint
    mitre_attack_id:
        - T1203
        - T1105
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/file_event/file_events.log
          source: not_applicable
          sourcetype: cisco:sfw:estreamer