Cisco Secure Firewall - Oracle E-Business Suite Correlation

name: Cisco Secure Firewall - Oracle E-Business Suite Correlation
id: 9e995d21-6870-43de-acd9-76f372bcf323
version: 5
date: '2026-03-10'
author: Nasreddine Bencherchali, Splunk, Talos NTDR
status: production
type: TTP
description: |
    This correlation rule identifies potential exploitation attempts of Oracle E-Business Suite vulnerabilities (CVE-2025-61882 and CVE-2025-61884) by correlating multiple intrusion signatures from Cisco Secure Firewall Threat Defense logs.
    The detection looks for specific signatures that indicate attempts to exploit the TemplatePreview functionality and vulnerable SyncServlet endpoints as well as post compromise activity involving Cl0p.
    By correlating these signatures, the analytic aims to identify coordinated exploitation attempts that may indicate an attacker is targeting Oracle E-Business Suite installations.
    Security teams should investigate any instances of these correlated signatures, especially if they are found in conjunction with other suspicious network activity or on systems that should not be exposed to such threats.
data_source:
    - Cisco Secure Firewall Threat Defense Intrusion Event
search: |
    `cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (65454, 65455, 65377, 65378, 65413, 65414, 65415, 65456)
    | bin _time span=5m
    | fillnull
    | stats dc(signature_id) as unique_signature_count
            values(signature_id) as signature_id
            values(signature) as signature
            values(class_desc) as class_desc
            values(MitreAttackGroups) as MitreAttackGroups
            values(InlineResult) as InlineResult
            values(InlineResultReason) as InlineResultReason
            values(dest_port) as dest_port
            values(rule) as rule
            values(transport) as transport
            values(app) as app
            min(_time) as firstTime
            max(_time) as lastTime
            sum(eval(signature_id==65454)) as sig_template_preview
            sum(eval(signature_id==65455)) as sig_sync_servlet
            sum(eval(signature_id IN (65377,65378,65413,65414,65415,65456))) as sig_exploit_activity
      by src dest
    | where (
              (
                sig_exploit_activity >= 1
                AND
                (
                  sig_template_preview >= 1
                  OR
                  sig_sync_servlet >= 1
                )
              )
            OR
              (
                sig_template_preview >= 1
                AND
                sig_sync_servlet >= 1
              )
            OR
              unique_signature_count >= 2
            )
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `cisco_secure_firewall___oracle_e_business_suite_correlation_filter`
how_to_implement: |
    This search requires Cisco Secure Firewall Threat Defense Logs, which
    includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
    We strongly recommend that you specify your environment-specific configurations
    (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
    with configurations for your Splunk environment. The search also uses a post-filter
    macro designed to filter out known false positives.
    The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
    The intrusion access policy must also be configured.
known_false_positives: False positives should be very unlikely.
references:
    - https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
    - https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
    - https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/
    - https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation
drilldown_searches:
    - name: View the detection results for - "$dest$" and "$src$"
      search: '%original_detection_search% | search  dest = "$dest$" and src = "$src$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Multiple Oracle E-Business Suite exploitation signatures $signature_id$ detected from source IP $src$ to destination IP $dest$
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: signature
          type: signature
        - field: src
          type: ip_address
tags:
    analytic_story:
        - Cisco Secure Firewall Threat Defense Analytics
        - Oracle E-Business Suite Exploitation
    asset_type: Network
    cve:
        - CVE-2025-61882
        - CVE-2025-61884
    security_domain: network
    mitre_attack_id:
        - T1190
    product:
        - Splunk Enterprise
        - Splunk Cloud
        - Splunk Enterprise Security
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/oracle_e_business_suite/oracle_e_business_suite.log
          source: not_applicable
          sourcetype: cisco:sfw:estreamer