Skip to content

Commit 271fd75

Browse files
nasbenchnasbench
committed
update analytics after review suggestions
1 parent 38cb11c commit 271fd75

10 files changed

+24
-8
lines changed

detections/network/cisco_secure_firewall___remote_access_software_usage_traffic.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,7 @@ tags:
7575
- Command And Control
7676
- Ransomware
7777
- Remote Monitoring and Management Software
78+
- Cisco Secure Firewall Threat Defense Analytics
7879
asset_type: Network
7980
mitre_attack_id:
8081
- T1219

detections/network/detect_outbound_ldap_traffic.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ references:
3737
tags:
3838
analytic_story:
3939
- Log4Shell CVE-2021-44228
40+
- Cisco Secure Firewall Threat Defense Analytics
4041
asset_type: Endpoint
4142
cve:
4243
- CVE-2021-44228

detections/network/detect_outbound_smb_traffic.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@ tags:
5353
- Hidden Cobra Malware
5454
- DHS Report TA18-074A
5555
- NOBELIUM Group
56+
- Cisco Secure Firewall Threat Defense Analytics
5657
asset_type: Endpoint
5758
mitre_attack_id:
5859
- T1071.002

detections/network/internal_horizontal_port_scan.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -50,13 +50,16 @@ rba:
5050
message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination
5151
IPs
5252
risk_objects:
53-
- field: src_ip
53+
- field: dest_port
5454
type: system
5555
score: 64
56-
threat_objects: []
56+
threat_objects:
57+
- field: src_ip
58+
type: ip_address
5759
tags:
5860
analytic_story:
5961
- Network Discovery
62+
- Cisco Secure Firewall Threat Defense Analytics
6063
asset_type: Endpoint
6164
mitre_attack_id:
6265
- T1046

detections/network/internal_horizontal_port_scan_nmap_top_20.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -52,13 +52,16 @@ rba:
5252
message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination
5353
IPs
5454
risk_objects:
55-
- field: src_ip
55+
- field: dest_zone
5656
type: system
5757
score: 72
58-
threat_objects: []
58+
threat_objects:
59+
- field: src_ip
60+
type: ip_address
5961
tags:
6062
analytic_story:
6163
- Network Discovery
64+
- Cisco Secure Firewall Threat Defense Analytics
6265
asset_type: Endpoint
6366
mitre_attack_id:
6467
- T1046

detections/network/internal_vertical_port_scan.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -50,13 +50,16 @@ drilldown_searches:
5050
rba:
5151
message: $src_ip$ has scanned $totalDestPortCount$ ports on $dest_ip$
5252
risk_objects:
53-
- field: src_ip
53+
- field: dest_ip
5454
type: system
55-
score: 64
56-
threat_objects: []
55+
score: 60
56+
threat_objects:
57+
- field: src_ip
58+
type: ip_address
5759
tags:
5860
analytic_story:
5961
- Network Discovery
62+
- Cisco Secure Firewall Threat Defense Analytics
6063
asset_type: Endpoint
6164
mitre_attack_id:
6265
- T1046

detections/network/prohibited_network_traffic_allowed.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@ tags:
5858
- Prohibited Traffic Allowed or Protocol Mismatch
5959
- Ransomware
6060
- Command And Control
61+
- Cisco Secure Firewall Threat Defense Analytics
6162
asset_type: Endpoint
6263
mitre_attack_id:
6364
- T1048

detections/network/protocol_or_port_mismatch.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,7 @@ tags:
5656
analytic_story:
5757
- Prohibited Traffic Allowed or Protocol Mismatch
5858
- Command And Control
59+
- Cisco Secure Firewall Threat Defense Analytics
5960
asset_type: Endpoint
6061
mitre_attack_id:
6162
- T1048.003

detections/network/protocols_passing_authentication_in_cleartext.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ drilldown_searches:
4545
earliest_offset: $info_min_time$
4646
latest_offset: $info_max_time$
4747
rba:
48-
message: Potential Authentication in cleartext
48+
message: Allowed Traffic from $src_ip$ to $dest_ip$ over port $dest_port$. Which might indicate a potential authentication attempts over a cleartext protocol.
4949
risk_objects:
5050
- field: user
5151
type: user
@@ -59,6 +59,7 @@ rba:
5959
tags:
6060
analytic_story:
6161
- Use of Cleartext Protocols
62+
- Cisco Secure Firewall Threat Defense Analytics
6263
asset_type: Endpoint
6364
product:
6465
- Splunk Enterprise

detections/network/tor_traffic.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,7 @@ tags:
6060
- Ransomware
6161
- NOBELIUM Group
6262
- Command And Control
63+
- Cisco Secure Firewall Threat Defense Analytics
6364
asset_type: Endpoint
6465
mitre_attack_id:
6566
- T1090.003

0 commit comments

Comments
 (0)