EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Prohibited Network Traffic Allowed

The following analytic detects instances where network traffic, identified by port and transport layer protocol as prohibited in the "lookup_interesting_ports" table, is allowed. It uses the Network_Traffic data model to cross-reference traffic data against predefined security policies. This activity is significant for a SOC as it highlights potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to bypass network defenses, leading to potential data breaches and compromising the organization's security posture.

MITRE ATT&CK

T1048

Detection Query

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Network_Traffic
  WHERE All_Traffic.action IN ("allowed", "allow") [
| inputlookup interesting_ports_lookup where is_prohibited="true"
| table dest_port transport
| dedup dest_port transport
| rename dest_port as All_Traffic.dest_port
| rename transport as All_Traffic.transport] by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action All_Traffic.dvc All_Traffic.src_port All_Traffic.vendor_product All_Traffic.rule
| lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port transport as All_Traffic.transport OUTPUT app is_prohibited note
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Traffic")`
| `prohibited_network_traffic_allowed_filter`

Author

Rico Valdez, Splunk

Created

2026-03-10

Data Sources

Cisco Secure Firewall Threat Defense Connection Event

Tags

Prohibited Traffic Allowed or Protocol MismatchRansomwareCommand And ControlCisco Secure Firewall Threat Defense Analytics
Raw Content
name: Prohibited Network Traffic Allowed
id: ce5a0962-849f-4720-a678-753fe6674479
version: 12
date: '2026-03-10'
author: Rico Valdez, Splunk
status: production
type: TTP
description: The following analytic detects instances where network traffic, identified by port and transport layer protocol as prohibited in the "lookup_interesting_ports" table, is allowed. It uses the Network_Traffic data model to cross-reference traffic data against predefined security policies. This activity is significant for a SOC as it highlights potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to bypass network defenses, leading to potential data breaches and compromising the organization's security posture.
data_source:
    - Cisco Secure Firewall Threat Defense Connection Event
search: |-
    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Network_Traffic
      WHERE All_Traffic.action IN ("allowed", "allow") [
    | inputlookup interesting_ports_lookup where is_prohibited="true"
    | table dest_port transport
    | dedup dest_port transport
    | rename dest_port as All_Traffic.dest_port
    | rename transport as All_Traffic.transport] by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action All_Traffic.dvc All_Traffic.src_port All_Traffic.vendor_product All_Traffic.rule
    | lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port transport as All_Traffic.transport OUTPUT app is_prohibited note
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `drop_dm_object_name("All_Traffic")`
    | `prohibited_network_traffic_allowed_filter`
how_to_implement: In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.
known_false_positives: No false positives have been identified at this time.
references: []
drilldown_searches:
    - name: View the detection results for - "$src_ip$"
      search: '%original_detection_search% | search  src_ip = "$src_ip$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src_ip$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Potentially Prohibited Network Traffic allowed
    risk_objects:
        - field: src_ip
          type: system
          score: 50
    threat_objects:
        - field: dest_ip
          type: ip_address
tags:
    analytic_story:
        - Prohibited Traffic Allowed or Protocol Mismatch
        - Ransomware
        - Command And Control
        - Cisco Secure Firewall Threat Defense Analytics
    asset_type: Endpoint
    mitre_attack_id:
        - T1048
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
    manual_test: This detection uses a builtin lookup from Enterprise Security.
tests:
    - name: Cisco Secure Firewall True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
          source: not_applicable
          sourcetype: cisco:sfw:estreamer