Merge branch 'develop' into captcha

Author: patel-bhavin

dashboards/threat_activity_by_snort_ids.json

@@ -0,0 +1,6 @@
+name: Threat Activity by Snort IDs
+id: 77d805c2-747e-4b78-8979-52deca44254f
+version: 1
+date: '2025-04-29'
+author: Bhavin Patel, Nasreddine Bencherchali, Splunk
+description: Utilize this panel to correlate Snort intrusion events with known threat activity. Configure the Snort-ID-to-Threat lookup to enrich incoming signature data and populate the “Threat Activity by Snort IDs” view.

dashboards/threat_activity_by_snort_ids.yml

@@ -1,7 +1,7 @@
 name: WinEvent Windows Task Scheduler Event Action Started
 id: b3632472-310b-11ec-9aab-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-05-19'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -32,7 +32,6 @@ tags:
   analytic_story:
   - Qakbot
   - Windows Persistence Techniques
-  - Winter Vivern
   - Prestige Ransomware
   - DarkCrystal RAT
   - AsyncRAT

detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml

@@ -0,0 +1,97 @@
+name: Cisco Secure Firewall - High Priority Intrusion Classification
+id: ec99bb81-c31b-4837-8c7d-1b32aa70b337
+version: 1
+date: '2025-04-28'
+author: Nasreddine Bencherchali, Splunk
+status: production
+type: TTP
+description: |
+  This analytic identifies high-severity intrusion events based on the classification assigned to Snort rules within Cisco Secure Firewall logs.
+  It leverages Cisco Secure Firewall Threat Defense logs and focuses on events classified as:
+  
+  - A Network Trojan was Detected
+  - Successful Administrator Privilege Gain
+  - Successful User Privilege Gain
+  - Attempt to Login By a Default Username and Password
+  - Known malware command and control traffic
+  - Known malicious file or file based exploit
+  - Known client side exploit attempt
+  - Large Scale Information Leak"
+
+  These classifications typically represent significant threats such as remote code execution, credential theft, lateral movement, or malware communication. Detection of these classifications should be prioritized for immediate investigation.
+data_source:
+  - Cisco Secure Firewall Threat Defense Intrusion Event
+search: |
+  `cisco_secure_firewall` EventType=IntrusionEvent 
+          class_desc IN ("A Network Trojan was Detected", "Successful Administrator Privilege Gain", "Successful User Privilege Gain", "Attempt to Login By a Default Username and Password", "Known malware command and control traffic", "Known malicious file or file based exploit", "Known client side exploit attempt", "Large Scale Information Leak")
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime
+          values(signature_id) as signature_id 
+          values(MitreAttackGroups) as MitreAttackGroups 
+          values(InlineResult) as InlineResult 
+          values(InlineResultReason) as InlineResultReason 
+          values(dest_port) as dest_port 
+          values(rule) as rule 
+          values(transport) as transport 
+          values(app) as app
+          by src_ip, dest_ip, signature, class_desc
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `cisco_secure_firewall___high_priority_intrusion_classification_filter`
+how_to_implement: |
+  This search requires Cisco Secure Firewall Threat Defense Logs, which
+  includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
+  We strongly recommend that you specify your environment-specific configurations
+  (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
+  with configurations for your Splunk environment. The search also uses a post-filter
+  macro designed to filter out known false positives.
+  The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
+  The intrusion access policy must also be configured.
+known_false_positives: Some intrusion events that are linked to these classifications might be noisy in certain environments. Apply a combination of filters for specific snort IDs and other indicators.
+references:
+  - https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf
+drilldown_searches:
+- name: View the detection results for - "$dest_ip$" and "$src_ip$"
+  search: '%original_detection_search% | search  dest_ip = "$dest_ip$" and src_ip = "$src_ip$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest_ip$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168  | stats count min(_time)
+    as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
+    as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A high priority intrusion event with classification ($class_desc$) was detected from $src_ip$ to $dest_ip$, indicating potential suspicious activity.
+  risk_objects:
+    - field: dest_ip
+      type: system
+      score: 25
+  threat_objects:
+    - field: signature
+      type: signature
+    - field: src_ip
+      type: ip_address
+tags:
+  analytic_story: 
+    - Cisco Secure Firewall Threat Defense Analytics
+  asset_type: Network
+  security_domain: network
+  mitre_attack_id:
+    - T1203
+    - T1003
+    - T1071
+    - T1190
+    - T1078
+  product:
+    - Splunk Enterprise
+    - Splunk Cloud
+    - Splunk Enterprise Security
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events.log
+    source: not_applicable
+    sourcetype: cisco:sfw:estreamer

detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml

@@ -0,0 +1,81 @@
+name: Cisco Secure Firewall - Intrusion Events by Threat Activity
+id: b71e57e8-c571-4ff1-ae13-bc4384a9e891
+version: 1
+date: '2025-05-12'
+author: Bhavin Patel, Nasreddine Bencherchali, Splunk
+status: production
+type: Anomaly
+description: |
+  This analytic detects intrusion events from known threat activity using Cisco Secure Firewall Intrusion Events. 
+  It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where one or multiple Snort signatures 
+  associated with a known threat or threat actor activity have been triggered within a one-hour time window. The detection uses a 
+  lookup table (cisco_snort_ids_to_threat_mapping.csv) to map Snort signature IDs to known threat actors and their techniques. 
+  When multiple signatures associated with the same threat actor are triggered within the time window, and the count of 
+  unique signatures matches or exceeds the expected number of signatures for that threat technique, an alert is generated. 
+  This helps identify potential coordinated threat activity in your network environment by correlating related intrusion 
+  events that occur in close temporal proximity.
+data_source:
+  - Cisco Secure Firewall Threat Defense Intrusion Event
+search: |
+  `cisco_secure_firewall` EventType=IntrusionEvent
+  | stats count AS total_alerts, dc(signature_id) AS sig_count, values(SnortRuleGroups) AS snort_rule_groups, values(connection_id) AS connection_id, values(rule) AS rule, values(dest_port) AS dest_port, values(transport) AS transport, values(app) AS app, values(signature) AS signature, values(src_ip) AS src_ip BY _time dest_ip signature_id
+  | lookup cisco_snort_ids_to_threat_mapping signature_id OUTPUT threat, category, message
+  | where isnotnull(threat)
+  | bin _time span=1d
+  | stats count AS Total_Alerts, dc(signature_id) AS sig_count, values(signature_id) AS signature_id, values(category) AS category, values(message) AS message, values(snort_rule_groups) AS snort_rule_groups, values(connection_id) AS connection_id, values(rule) AS rule, values(dest_port) AS dest_port, values(transport) AS transport, values(app) AS app, values(signature) AS signature, values(src_ip) AS src_ip BY _time dest_ip threat
+  | lookup threat_snort_count threat OUTPUT description, distinct_count_snort_ids
+  | table _time, dest_ip, threat, category, message, description, signature_id, signature, snort_rule_groups, sig_count, distinct_count_snort_ids, connection_id, rule, dest_port, transport, app
+  | where sig_count >= distinct_count_snort_ids
+  | `cisco_secure_firewall___intrusion_events_by_threat_activity_filter`
+how_to_implement: |
+  This search requires Cisco Secure Firewall Threat Defense Logs, which
+  includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
+  We strongly recommend that you specify your environment-specific configurations
+  (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
+  with configurations for your Splunk environment. The search also uses a post-filter
+  macro designed to filter out known false positives.
+  The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
+  The intrusion access policy must also be configured. This detection is based on the cisco_snort_ids_to_threat_mapping.csv mapping file - please update the lookup file with the latest Snort IDs to Threat Actors if you would like to modify the distinct count of Snort IDs needed to trigger the detection or if you would like to add new Snort IDs to Threat Actors.
+known_false_positives: False positives may occur due to legitimate security testing or research activities.
+references:
+  - https://www.cisco.com/c/en/us/products/security/firewalls/index.html
+drilldown_searches:
+- name: View the detection results for - "$dest_ip$"
+  search: '%original_detection_search% | search  dest_ip = "$dest_ip$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest_ip$""
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168  | stats count min(_time)
+    as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
+    as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Potential $threat$ activity detected from $src_ip$ to $dest_ip$.
+  risk_objects:
+    - field: dest_ip
+      type: system
+      score: 50
+  threat_objects:
+    - field: signature
+      type: signature
+tags:
+  analytic_story: 
+    - Cisco Secure Firewall Threat Defense Analytics
+  asset_type: Network
+  security_domain: network
+  mitre_attack_id:
+    - T1041
+    - T1573.002
+  product:
+    - Splunk Enterprise
+    - Splunk Cloud
+    - Splunk Enterprise Security
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.log
+    source: not_applicable
+    sourcetype: cisco:sfw:estreamer

detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml

@@ -0,0 +1,93 @@
+name: Cisco Secure Firewall - Lumma Stealer Activity
+id: 96bce783-c22e-4e48-8cf1-3eb2794c5083
+version: 1
+date: '2025-04-28'
+author: Nasreddine Bencherchali, Splunk, Talos NTDR
+status: production
+type: TTP
+description: |
+  This analytic detects Lumma Stealer activity using Cisco Secure Firewall Intrusion Events. 
+  It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where four of the following Snort signature IDs 64793, 64794, 64797, 64798, 64799, 64800, 64801, 62709, 64167, 64168, 64169, 64796, 62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64812, 64810, 64811 occurs in the span of 15 minutes from the same host.
+  If confirmed malicious, this behavior is highly indicative of a successful infection of Lumma Stealer.
+data_source:
+  - Cisco Secure Firewall Threat Defense Intrusion Event
+search: |
+  `cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (64793, 64794, 64797, 64798, 64799, 64800, 64801, 62709, 64167, 64168, 64169, 64796, 62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64812, 64810, 64811)
+  | bin _time span=15m
+  | fillnull
+  | stats dc(signature_id) as unique_signature_count 
+          values(signature_id) as signature_id 
+          values(signature) as signature 
+          values(class_desc) as class_desc 
+          values(MitreAttackGroups) as MitreAttackGroups 
+          values(InlineResult) as InlineResult 
+          values(InlineResultReason) as InlineResultReason 
+          values(dest_ip) as dest_ip 
+          values(dest_port) as dest_port 
+          values(rule) as rule 
+          values(transport) as transport 
+          values(app) as app 
+          min(_time) as firstTime 
+          max(_time) as lastTime 
+          by src_ip
+  | where unique_signature_count >= 3
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `cisco_secure_firewall___lumma_stealer_activity_filter`
+how_to_implement: |
+  This search requires Cisco Secure Firewall Threat Defense Logs, which
+  includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
+  We strongly recommend that you specify your environment-specific configurations
+  (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
+  with configurations for your Splunk environment. The search also uses a post-filter
+  macro designed to filter out known false positives.
+  The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
+  The intrusion access policy must also be configured.
+known_false_positives: False positives should be very unlikely.
+references:
+  - https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
+drilldown_searches:
+- name: View the detection results for - "$dest_ip$" and "$src_ip$"
+  search: '%original_detection_search% | search  dest_ip = "$dest_ip$" and src_ip = "$src_ip$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest_ip$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168  | stats count min(_time)
+    as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
+    as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Lumma Stealer Activity on host $dest_ip$ origniating from $src_ip$
+  risk_objects:
+    - field: dest_ip
+      type: system
+      score: 25
+  threat_objects:
+    - field: signature
+      type: signature
+    - field: src_ip
+      type: ip_address
+tags:
+  analytic_story: 
+    - Cisco Secure Firewall Threat Defense Analytics
+    - Lumma Stealer
+  asset_type: Network
+  security_domain: network
+  mitre_attack_id:
+    - T1190
+    - T1210
+    - T1027
+    - T1204
+  product:
+    - Splunk Enterprise
+    - Splunk Cloud
+    - Splunk Enterprise Security
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.log
+    source: not_applicable
+    sourcetype: cisco:sfw:estreamer

detections/network/cisco_secure_firewall___lumma_stealer_activity.yml

@@ -0,0 +1,75 @@
+name: Cisco Secure Firewall - Lumma Stealer Download Attempt
+id: 66f22f52-fbae-4be7-a263-561dacb63613
+version: 1
+date: '2025-04-26'
+author: Nasreddine Bencherchali, Splunk, Talos NTDR
+status: production
+type: Anomaly
+description: |
+  This analytic detects Lumma Stealer download attempts using Cisco Secure Firewall Intrusion Events. 
+  It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer.
+data_source:
+  - Cisco Secure Firewall Threat Defense Intrusion Event
+search: |
+  `cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64810, 64811)
+  | fillnull
+  | stats min(_time) as firstTime max(_time) as lastTime 
+          by src_ip dest_ip dest_port transport signature_id signature class_desc MitreAttackGroups rule InlineResult InlineResultReason app
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `cisco_secure_firewall___lumma_stealer_download_attempt_filter`
+how_to_implement: |
+  This search requires Cisco Secure Firewall Threat Defense Logs, which
+  includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
+  We strongly recommend that you specify your environment-specific configurations
+  (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
+  with configurations for your Splunk environment. The search also uses a post-filter
+  macro designed to filter out known false positives.
+  The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
+  The intrusion access policy must also be configured.
+known_false_positives: False positives should be unlikely.
+references:
+  - https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
+drilldown_searches:
+- name: View the detection results for - "$dest_ip$" and "$src_ip$"
+  search: '%original_detection_search% | search  dest_ip = "$dest_ip$" and src_ip = "$src_ip$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest_ip$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168  | stats count min(_time)
+    as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
+    as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Lumma Stealer Download Attempt detected on host $dest_ip$ origniating from $src_ip$
+  risk_objects:
+    - field: dest_ip
+      type: system
+      score: 25
+  threat_objects:
+    - field: signature
+      type: signature
+    - field: src_ip
+      type: ip_address
+tags:
+  analytic_story: 
+    - Cisco Secure Firewall Threat Defense Analytics
+    - Lumma Stealer
+  asset_type: Network
+  security_domain: network
+  mitre_attack_id:
+    - T1041
+    - T1573.002
+  product:
+    - Splunk Enterprise
+    - Splunk Cloud
+    - Splunk Enterprise Security
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.log
+    source: not_applicable
+    sourcetype: cisco:sfw:estreamer