splunk_escuAnomaly

Cisco Secure Firewall - File Download Over Uncommon Port

The following analytic detects file transfers flagged as malware that occurred over non-standard ports (other than 80 and 443). Adversaries may attempt to bypass protocol-based detection or use alternate ports to blend in with other traffic. This analytic identifies these non-conventional flows and surfaces potential evasion techniques. If confirmed malicious this indicate potential malware delivery or other nefarious activity.

MITRE ATT&CK

T1105 T1571

Detection Query

`cisco_secure_firewall` EventType=FileEvent FileDirection="Download" NOT dest_port IN (80, 443)
| lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description
| stats count min(_time) as firstTime max(_time) as lastTime
        values(file_name) as file_name
        values(uri) as uri
        values(ClientApplication) as ClientApplication
        values(file_hash) as file_hash
        values(SHA_Disposition) as SHA_Disposition
        by FileDirection FileType app ThreatName dest_port Description src dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime src dest dest_port FileDirection FileType Description uri ClientApplication file_name file_hash SHA_Disposition ThreatName
| `cisco_secure_firewall___file_download_over_uncommon_port_filter`

Author

Nasreddine Bencherchali, Splunk

Created

2026-03-10

Data Sources

Cisco Secure Firewall Threat Defense File Event

References

https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf

Tags

Cisco Secure Firewall Threat Defense Analytics

Raw Content

name: Cisco Secure Firewall - File Download Over Uncommon Port
id: f26445a8-a6a2-4855-bec0-0c39e52e5b8f
version: 6
date: '2026-03-10'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
description: |
    The following analytic detects file transfers flagged as malware that occurred over non-standard ports (other than 80 and 443). Adversaries may attempt to bypass protocol-based detection or use alternate ports to blend in with other traffic. This analytic identifies these non-conventional flows and surfaces potential evasion techniques. If confirmed malicious this indicate potential malware delivery or other nefarious activity.
data_source:
    - Cisco Secure Firewall Threat Defense File Event
search: |
    `cisco_secure_firewall` EventType=FileEvent FileDirection="Download" NOT dest_port IN (80, 443)
    | lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description
    | stats count min(_time) as firstTime max(_time) as lastTime
            values(file_name) as file_name
            values(uri) as uri
            values(ClientApplication) as ClientApplication
            values(file_hash) as file_hash
            values(SHA_Disposition) as SHA_Disposition
            by FileDirection FileType app ThreatName dest_port Description src dest
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | table firstTime lastTime src dest dest_port FileDirection FileType Description uri ClientApplication file_name file_hash SHA_Disposition ThreatName
    | `cisco_secure_firewall___file_download_over_uncommon_port_filter`
how_to_implement: |
    This search requires Cisco Secure Firewall Threat Defense Logs, which
    includes the FileEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
    We strongly recommend that you specify your environment-specific configurations
    (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
    with configurations for your Splunk environment. The search also uses a post-filter
    macro designed to filter out known false positives.
    The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
    The malware & file access policy must also enable logging.
known_false_positives: Some legitimate applications may download files over custom ports (e.g., CDN mirrors, APIs). Apply additional filters accordingly.
references:
    - https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf
drilldown_searches:
    - name: View the detection results for - "$src$"
      search: '%original_detection_search% | search  src = "$src$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: The host $src$ downloaded a file $file_name$ of type $FileType$ from $dest$ over the uncommon port $dest_port$
    risk_objects:
        - field: src
          type: system
          score: 20
    threat_objects:
        - field: file_name
          type: file_name
        - field: file_hash
          type: file_hash
tags:
    analytic_story:
        - Cisco Secure Firewall Threat Defense Analytics
    asset_type: Endpoint
    mitre_attack_id:
        - T1105
        - T1571
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/file_event/file_events.log
          source: not_applicable
          sourcetype: cisco:sfw:estreamer