Merge pull request #3535 from splunk/ftd-cim-update

Update Network CIM Analytics With FTD Data

Author: pyth0n1c

data_sources/cisco_secure_firewall_threat_defense_connection_event.yml

@@ -1,7 +1,7 @@
 name: Cisco Secure Firewall Threat Defense Connection Event
 id: 18878597-8f8a-4bca-a805-bfbe35e00032
-version: 1
-date: '2025-04-01'
+version: 2
+date: '2025-05-22'
 author: Nasreddine Bencherchali, Splunk
 description: Data source object for raw connection events from Cisco Secure Firewall
   Threat Defense
@@ -114,7 +114,6 @@ output_fields:
 - dest_port
 - transport
 - rule
-- url
 - action
 example_log: '{"EventType":"ConnectionEvent", "FirstPacketSecond":1743500734, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63",
   "InstanceID":1, "ConnectionID":259, "AC_RuleAction":"Block", "InitiatorIP":"172.16.3.110",

detections/network/cisco_secure_firewall___remote_access_software_usage_traffic.yml

@@ -0,0 +1,93 @@
+name: Cisco Secure Firewall - Remote Access Software Usage Traffic
+id: ac54d39e-a75d-4f42-971d-006db3a0423a
+version: 1
+date: '2025-05-02'
+author: Nasreddine Bencherchali, Splunk
+status: production
+type: Anomaly
+description: |
+  The following analytic detects network traffic associated with known remote access software applications
+  that are covered by Cisco Secure Firewall Application Detectors, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer.
+  It leverages Cisco Secure Firewall Threat Defense Connection Event.
+  This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments.
+  If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate
+  data, or deploy additional malware, posing a severe threat to the organization's security.
+data_source:
+- Cisco Secure Firewall Threat Defense Connection Event
+search: |
+  `cisco_secure_firewall` EventType=ConnectionEvent
+  | stats min(_time) as firstTime max(_time) as lastTime 
+        values(dest_port) as dest_port
+        values(dest) as dest
+        values(transport) as transport
+        values(url) as url
+        values(rule) as rule
+        count by src_ip ClientApplication action
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | lookup cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools appName AS ClientApplication OUTPUT category, appDescription as Description
+  | search category IN ("remote administration", "remote desktop control")
+  | `remote_access_software_usage_exceptions`
+  | `cisco_secure_firewall___remote_access_software_usage_traffic_filter`
+how_to_implement: |
+  This search requires Cisco Secure Firewall Threat Defense Logs, which
+  includes the ConnectionEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
+  We strongly recommend that you specify your environment-specific configurations
+  (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
+  with configurations for your Splunk environment. The search also uses a post-filter
+  macro designed to filter out known false positives.
+  The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
+  The access policy must also enable logging.
+  The "exceptions" macro leverages both an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions"
+  that lets you track and maintain device- based exceptions for this set of detections.
+known_false_positives: |
+  It is possible that legitimate remote access software is used within the environment. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content
+references:
+- https://attack.mitre.org/techniques/T1219/
+- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
+- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
+drilldown_searches:
+- name: View the detection results for - "$src_ip$"
+  search: '%original_detection_search% | search  src_ip = "$src_ip$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src_ip$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Traffic to known remote access software [$ClientApplication$] was detected from $src_ip$.
+  risk_objects:
+  - field: src_ip
+    type: system
+    score: 25
+  threat_objects:
+  - field: ClientApplication
+    type: signature
+tags:
+  analytic_story:
+  - Insider Threat
+  - Command And Control
+  - Ransomware
+  - Remote Monitoring and Management Software
+  - Cisco Secure Firewall Threat Defense Analytics
+  asset_type: Network
+  mitre_attack_id:
+  - T1219
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+  manual_test: This detection uses A&I lookups from Enterprise Security.
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
+    source: not_applicable
+    sourcetype: cisco:sfw:estreamer

detections/network/detect_outbound_ldap_traffic.yml

@@ -1,7 +1,7 @@
 name: Detect Outbound LDAP Traffic
 id: 5e06e262-d7cd-4216-b2f8-27b437e18458
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-05-22'
 author: Bhavin Patel, Johan Bjerke, Splunk
 status: production
 type: Hunting
@@ -14,20 +14,21 @@ description: The following analytic identifies outbound LDAP traffic to external
   network compromise.
 data_source:
 - Palo Alto Network Traffic
+- Cisco Secure Firewall Threat Defense Connection Event
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic
   where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip
   = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12)
   by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
   All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
   All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
-  All_Traffic.transport All_Traffic.user All_Traffic.vendor_product |`drop_dm_object_name("All_Traffic")`
+  All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.rule |`drop_dm_object_name("All_Traffic")`
   | where src_ip != dest_ip | `security_content_ctime(firstTime)`  | `security_content_ctime(lastTime)`
   |`detect_outbound_ldap_traffic_filter`'
 how_to_implement: In order to properly run this search, Splunk needs to ingest data
-  from Next Generation Firewalls like Palo Alto Networks Firewalls or other network
-  control devices that mediate the traffic allowed into an environment. The search
-  requires the Network_Traffic data model to be populated.
+  from Next Generation Firewalls like, Cisco Secure Firewall Threat Defense, Palo Alto Networks Firewalls
+  or other network control devices that mediate the traffic allowed into an environment.
+  The search requires the Network_Traffic data model to be populated.
 known_false_positives: Unknown at this moment. Outbound LDAP traffic should not be
   allowed outbound through your perimeter firewall. Please check those servers to
   verify if the activity is legitimate.
@@ -36,6 +37,7 @@ references:
 tags:
   analytic_story:
   - Log4Shell CVE-2021-44228
+  - Cisco Secure Firewall Threat Defense Analytics
   asset_type: Endpoint
   cve:
   - CVE-2021-44228
@@ -48,8 +50,13 @@ tags:
   - Splunk Cloud
   security_domain: network
 tests:
-- name: True Positive Test
+- name: Palo Alto True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/log4shell_ldap_traffic/pantraffic.log
     sourcetype: pan:traffic
     source: pan:traffic
+- name: Cisco Secure Firewall True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
+    source: not_applicable
+    sourcetype: cisco:sfw:estreamer

detections/network/detect_outbound_smb_traffic.yml

@@ -1,7 +1,7 @@
 name: Detect Outbound SMB Traffic
 id: 1bed7774-304a-4e8f-9d72-d80e45ff492b
-version: 10
-date: '2025-05-02'
+version: 11
+date: '2025-05-22'
 author: Bhavin Patel, Stuart Hopkins, Patrick Bareiss
 status: experimental
 type: TTP
@@ -15,20 +15,21 @@ description: The following analytic detects outbound SMB (Server Message Block)
   full system compromise.
 data_source:
 - Zeek Conn
+- Cisco Secure Firewall Threat Defense Connection Event
 search: '| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time)
   as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app
   values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed
   All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb")
   AND All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND NOT
   All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10")
   by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
-  All_Traffic.dest  All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
+  All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
   All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
-  All_Traffic.transport All_Traffic.user All_Traffic.vendor_product | `drop_dm_object_name("All_Traffic")`  |
+  All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.rule | `drop_dm_object_name("All_Traffic")`  |
   `security_content_ctime(start_time)`  | `security_content_ctime(end_time)`  | iplocation
   dest_ip | `detect_outbound_smb_traffic_filter`'
-how_to_implement: This search also requires you to be ingesting your network traffic
-  and populating the Network_Traffic data model
+how_to_implement: This search requires you to be ingesting your network traffic
+  and populating the Network_Traffic data model.
 known_false_positives: It is likely that the outbound Server Message Block (SMB) traffic
   is legitimate, if the company's internal networks are not well-defined in the Assets
   and Identity Framework. Categorize the internal CIDR blocks as `internal` in the
@@ -52,6 +53,7 @@ tags:
   - Hidden Cobra Malware
   - DHS Report TA18-074A
   - NOBELIUM Group
+  - Cisco Secure Firewall Threat Defense Analytics
   asset_type: Endpoint
   mitre_attack_id:
   - T1071.002
@@ -61,8 +63,13 @@ tags:
   - Splunk Cloud
   security_domain: network
 tests:
-- name: True Positive Test
+- name: Zeek True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log
     sourcetype: bro:conn:json
     source: conn.log
+- name: Cisco Secure Firewall True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
+    source: not_applicable
+    sourcetype: cisco:sfw:estreamer

detections/network/internal_horizontal_port_scan.yml

@@ -1,12 +1,13 @@
 name: Internal Horizontal Port Scan
 id: 1ff9eb9a-7d72-4993-a55e-59a839e607f1
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-05-22'
 author: Dean Luxton
 status: production
 type: TTP
 data_source:
 - AWS CloudWatchLogs VPCflow
+- Cisco Secure Firewall Threat Defense Connection Event
 description: This analytic identifies instances where an internal host has attempted
   to communicate with 250 or more destination IP addresses using the same port and
   protocol. Horizontal port scans from internal hosts can indicate reconnaissance
@@ -17,7 +18,7 @@ search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as
   values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as
   dest_zone values(All_Traffic.src_zone) as src_zone values(All_Traffic.src_port)
   as src_port count from datamodel=Network_Traffic where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
-  by All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip span=1s _time All_Traffic.transport
+  by All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip All_Traffic.transport All_Traffic.rule span=1s _time
   | `drop_dm_object_name("All_Traffic")` | eval gtime=_time | bin span=1h gtime |
   stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount
   values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone)
@@ -49,13 +50,16 @@ rba:
   message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination
     IPs
   risk_objects:
-  - field: src_ip
+  - field: dest_ports
     type: system
     score: 64
-  threat_objects: []
+  threat_objects:
+  - field: src_ip
+    type: ip_address
 tags:
   analytic_story:
   - Network Discovery
+  - Cisco Secure Firewall Threat Defense Analytics
   asset_type: Endpoint
   mitre_attack_id:
   - T1046
@@ -65,8 +69,13 @@ tags:
   - Splunk Cloud
   security_domain: network
 tests:
-- name: True Positive Test
+- name: AWS CloudWatch True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log
     source: aws:cloudwatchlogs:vpcflow
     sourcetype: aws:cloudwatchlogs:vpcflow
+- name: Cisco Secure Firewall True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
+    source: not_applicable
+    sourcetype: cisco:sfw:estreamer

detections/network/internal_horizontal_port_scan_nmap_top_20.yml

@@ -1,12 +1,13 @@
 name: Internal Horizontal Port Scan NMAP Top 20
 id: 3141a041-4f57-4277-9faa-9305ca1f8e5b
-version: 4
-date: '2025-05-02'
+version: 5
+date: '2025-05-22'
 author: Dean Luxton
 status: production
 type: TTP
 data_source:
 - AWS CloudWatchLogs VPCflow
+- Cisco Secure Firewall Threat Defense Connection Event
 description: This analytic identifies instances where an internal host has attempted
   to communicate with 250 or more destination IP addresses using on of the NMAP top
   20 ports. Horizontal port scans from internal hosts can indicate reconnaissance
@@ -19,17 +20,17 @@ search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as
   as src_port count from datamodel=Network_Traffic where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
   AND All_Traffic.dest_port IN (21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443,
   445, 993, 995, 1723, 3306, 3389, 5900, 8080) by All_Traffic.src_ip All_Traffic.src
-  All_Traffic.dest_port All_Traffic.dest_ip All_Traffic.dest span=1s _time All_Traffic.transport  |
+  All_Traffic.dest_port All_Traffic.dest_ip All_Traffic.dest All_Traffic.transport All_Traffic.rule span=1s _time |
   `drop_dm_object_name("All_Traffic")`  | eval gtime=_time  | bin span=1h gtime  |
   stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount
-  values(src_category) as src_category values(dest_zone)  as dest_zone values(src_zone)
+  values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone)
   as src_zone by src_ip dest_port gtime transport  | where totalDestIPCount>=250  |
   eval dest_port=transport + "/" + dest_port  | stats min(_time) as _time values(action)
   as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category
   values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone)
   as src_zone by src_ip gtime  | fields - gtime  | `internal_horizontal_port_scan_nmap_top_20_filter`'
 how_to_implement: To properly run this search, Splunk needs to ingest data from networking
-  telemetry sources such as firewalls, NetFlow, or host-based networking events. Ensure
+  telemetry sources such as firewalls like Cisco Secure Firewall, NetFlow, or host-based networking events. Ensure
   that the Network_Traffic data model is populated to enable this search effectively.
 known_false_positives: Unknown
 references: []
@@ -51,13 +52,16 @@ rba:
   message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination
     IPs
   risk_objects:
-  - field: src_ip
+  - field: dest_ports
     type: system
     score: 72
-  threat_objects: []
+  threat_objects:
+  - field: src_ip
+    type: ip_address
 tags:
   analytic_story:
   - Network Discovery
+  - Cisco Secure Firewall Threat Defense Analytics
   asset_type: Endpoint
   mitre_attack_id:
   - T1046
@@ -67,8 +71,13 @@ tags:
   - Splunk Cloud
   security_domain: network
 tests:
-- name: True Positive Test
+- name: AWS CloudWatch True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log
     source: aws:cloudwatchlogs:vpcflow
     sourcetype: aws:cloudwatchlogs:vpcflow
+- name: Cisco Secure Firewall True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
+    source: not_applicable
+    sourcetype: cisco:sfw:estreamer