Name:Cisco Secure Firewall - Rare Snort Rule Triggered id:e20313d2-7d63-4fcf-b2d9-d6e12c6c7bd7 version:1 date:2025-04-14 author:Nasreddine Bencherchali, Splunk status:production type:Hunting Description:This analytic identifies Snort signatures that have triggered only once in the past 7 days across all Cisco Secure Firewall IntrusionEvent logs. While these rules typically do not trigger in day-to-day network activity, their sudden appearance may indicate early-stage compromise, previously unseen malware, or reconnaissance activity against less commonly exposed services. Investigating these outliers can provide valuable insight into new or low-noise adversary behaviors.
Data_source:
search:`cisco_secure_firewall` EventType=IntrusionEvent earliest=-7d | stats dc(_time) as TriggerCount min(_time) as firstTime max(_time) as lastTime values(signature) as signature values(src_ip) as src_ip values(dest) as dest values(dest_port) as dest_port values(transport) as transport values(app) as app values(rule) as rule by signature_id class_desc MitreAttackGroups InlineResult InlineResultReason | where TriggerCount = 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_secure_firewall___rare_snort_rule_triggered_filter`
how_to_implement:This search requires Cisco Secure Firewall Threat Defense Logs, which
includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
with configurations for your Splunk environment. The search also uses a post-filter
macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
The intrusion access policy must also be configured.
known_false_positives:False positives may occur with certain rare activity. Apply additional filters where required. References: -https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf drilldown_searches:
: tags: analytic_story: - 'Cisco Secure Firewall Threat Defense Analytics' asset_type:Network security_domain:network mitre_attack_id: - 'T1598' - 'T1583.006' product: - 'Splunk Enterprise' - 'Splunk Cloud' - 'Splunk Enterprise Security' manual_test:This detection is a hunting search that has the fixed time range of 7 days baked into the search. Hence based on the time range of the data in the logs, the detection may or may not return results with TriggerCount = 1 in testing.
