Merge branch 'develop' into fix-issues-0525

Author: patel-bhavin

dashboards/threat_activity_by_snort_ids.json

@@ -0,0 +1,6 @@
+name: Threat Activity by Snort IDs
+id: 77d805c2-747e-4b78-8979-52deca44254f
+version: 1
+date: '2025-04-29'
+author: Bhavin Patel, Nasreddine Bencherchali, Splunk
+description: Utilize this panel to correlate Snort intrusion events with known threat activity. Configure the Snort-ID-to-Threat lookup to enrich incoming signature data and populate the “Threat Activity by Snort IDs” view.

dashboards/threat_activity_by_snort_ids.yml

@@ -0,0 +1,81 @@
+name: Cisco Secure Firewall - Intrusion Events by Threat Activity
+id: b71e57e8-c571-4ff1-ae13-bc4384a9e891
+version: 1
+date: '2025-05-12'
+author: Bhavin Patel, Nasreddine Bencherchali, Splunk
+status: production
+type: Anomaly
+description: |
+  This analytic detects intrusion events from known threat activity using Cisco Secure Firewall Intrusion Events. 
+  It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where one or multiple Snort signatures 
+  associated with a known threat or threat actor activity have been triggered within a one-hour time window. The detection uses a 
+  lookup table (cisco_snort_ids_to_threat_mapping.csv) to map Snort signature IDs to known threat actors and their techniques. 
+  When multiple signatures associated with the same threat actor are triggered within the time window, and the count of 
+  unique signatures matches or exceeds the expected number of signatures for that threat technique, an alert is generated. 
+  This helps identify potential coordinated threat activity in your network environment by correlating related intrusion 
+  events that occur in close temporal proximity.
+data_source:
+  - Cisco Secure Firewall Threat Defense Intrusion Event
+search: |
+  `cisco_secure_firewall` EventType=IntrusionEvent
+  | stats count AS total_alerts, dc(signature_id) AS sig_count, values(SnortRuleGroups) AS snort_rule_groups, values(connection_id) AS connection_id, values(rule) AS rule, values(dest_port) AS dest_port, values(transport) AS transport, values(app) AS app, values(signature) AS signature, values(src_ip) AS src_ip BY _time dest_ip signature_id
+  | lookup cisco_snort_ids_to_threat_mapping signature_id OUTPUT threat, category, message
+  | where isnotnull(threat)
+  | bin _time span=1d
+  | stats count AS Total_Alerts, dc(signature_id) AS sig_count, values(signature_id) AS signature_id, values(category) AS category, values(message) AS message, values(snort_rule_groups) AS snort_rule_groups, values(connection_id) AS connection_id, values(rule) AS rule, values(dest_port) AS dest_port, values(transport) AS transport, values(app) AS app, values(signature) AS signature, values(src_ip) AS src_ip BY _time dest_ip threat
+  | lookup threat_snort_count threat OUTPUT description, distinct_count_snort_ids
+  | table _time, dest_ip, threat, category, message, description, signature_id, signature, snort_rule_groups, sig_count, distinct_count_snort_ids, connection_id, rule, dest_port, transport, app
+  | where sig_count >= distinct_count_snort_ids
+  | `cisco_secure_firewall___intrusion_events_by_threat_activity_filter`
+how_to_implement: |
+  This search requires Cisco Secure Firewall Threat Defense Logs, which
+  includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
+  We strongly recommend that you specify your environment-specific configurations
+  (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
+  with configurations for your Splunk environment. The search also uses a post-filter
+  macro designed to filter out known false positives.
+  The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
+  The intrusion access policy must also be configured. This detection is based on the cisco_snort_ids_to_threat_mapping.csv mapping file - please update the lookup file with the latest Snort IDs to Threat Actors if you would like to modify the distinct count of Snort IDs needed to trigger the detection or if you would like to add new Snort IDs to Threat Actors.
+known_false_positives: False positives may occur due to legitimate security testing or research activities.
+references:
+  - https://www.cisco.com/c/en/us/products/security/firewalls/index.html
+drilldown_searches:
+- name: View the detection results for - "$dest_ip$"
+  search: '%original_detection_search% | search  dest_ip = "$dest_ip$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest_ip$""
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168  | stats count min(_time)
+    as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
+    as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Potential $threat$ activity detected from $src_ip$ to $dest_ip$.
+  risk_objects:
+    - field: dest_ip
+      type: system
+      score: 50
+  threat_objects:
+    - field: signature
+      type: signature
+tags:
+  analytic_story: 
+    - Cisco Secure Firewall Threat Defense Analytics
+  asset_type: Network
+  security_domain: network
+  mitre_attack_id:
+    - T1041
+    - T1573.002
+  product:
+    - Splunk Enterprise
+    - Splunk Cloud
+    - Splunk Enterprise Security
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.log
+    source: not_applicable
+    sourcetype: cisco:sfw:estreamer

detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml

@@ -0,0 +1,102 @@
+threat,signature_id,category,message
+AgentTesla,40238,MALWARE-CNC,Win.Keylogger.AgentTesla variant outbound connection
+AgentTesla,52246,INDICATOR-COMPROMISE,AgentTesla variant outbound connection attempt
+AgentTesla,52612,MALWARE-CNC,Win.Trojan.AgentTesla variant outbound connection detected
+AgentTesla,52613,MALWARE-CNC,Win.Trojan.AgentTesla variant outbound connection detected
+AgentTesla,59133,MALWARE-CNC,Win.Trojan.AgentTesla outbound connection attempt
+AgentTesla,61564,MALWARE-CNC,Win.Trojan.AgentTesla variant outbound connection
+AgentTesla,61565,MALWARE-CNC,Win.Trojan.AgentTesla variant outbound connection
+AgentTesla,61566,MALWARE-CNC,Win.Trojan.AgentTesla variant outbound connection
+AgentTesla,61567,MALWARE-CNC,Win.Trojan.AgentTesla variant outbound connection
+AgentTesla,61570,MALWARE-OTHER,Win.Trojan.AgentTesla variant download attempt
+AgentTesla,61571,MALWARE-OTHER,Win.Trojan.AgentTesla variant download attempt
+Amadey,51636,MALWARE-CNC,Win.Trojan.Amadey botnet outbound connection
+Amadey,57204,MALWARE-CNC,Win.Trojan.Amadey outbound connection attempt
+Amadey,60570,MALWARE-TOOLS,Win.Trojan.Amadey malware tools download attempt
+Amadey,60571,MALWARE-TOOLS,Win.Trojan.Amadey malware tools download attempt
+Amadey,60572,MALWARE-TOOLS,Win.Trojan.Amadey malware tools download attempt
+AsyncRAT,58773,MALWARE-CNC,Rat.Trojan.AsyncRAT variant cnc connection
+Chafer,45972,MALWARE-CNC,Win.Trojan.Chafer malicious communication attempt
+Chafer,45973,MALWARE-CNC,Win.Trojan.Chafer malicious communication attempt
+DCRAT,58356,MALWARE-CNC,Win.Trojan.DCRAT variant outbound connection
+DCRAT,58357,MALWARE-CNC,Win.Trojan.DCRAT variant outbound connection
+DCRAT,58359,MALWARE-CNC,Win.Trojan.DCRAT variant outbound connection
+DCRAT,64056,MALWARE-CNC,Win.Trojan.DCRat variant outbound communication attempt
+DCRAT,64061,MALWARE-OTHER,Win.Trojan.DCRat variant payload download attempt
+DCRAT,64062,MALWARE-OTHER,Win.Trojan.DCRat variant payload download attempt
+DCRAT,64370,MALWARE-OTHER,Win.Trojan.DcRat variant download attempt
+DCRAT,64371,MALWARE-OTHER,Win.Trojan.DcRat variant download attempt
+DCRAT,64372,MALWARE-CNC,Win.Trojan.DcRat variant communication attempt
+DCRAT,64373,MALWARE-CNC,Win.Trojan.DcRat variant communication attempt
+Lumma Stealer,62709,MALWARE-CNC,Win.Malware.Lumma variant outbound connection
+Lumma Stealer,62710,MALWARE-OTHER,Win.Malware.Lumma variant download attempt
+Lumma Stealer,62711,MALWARE-OTHER,Win.Malware.Lumma variant download attempt
+Lumma Stealer,62712,MALWARE-OTHER,Win.Malware.Lumma variant download attempt
+Lumma Stealer,62713,MALWARE-OTHER,Win.Malware.Lumma variant download attempt
+Lumma Stealer,62714,MALWARE-OTHER,Win.Malware.Lumma variant download attempt
+Lumma Stealer,62715,MALWARE-OTHER,Win.Malware.Lumma variant download attempt
+Lumma Stealer,62716,MALWARE-OTHER,Win.Malware.Lumma variant download attempt
+Lumma Stealer,62717,MALWARE-OTHER,Win.Malware.Lumma variant download attempt
+Lumma Stealer,64167,MALWARE-CNC,Win.Stealer.Lumma variant outbound connection attempt
+Lumma Stealer,64168,MALWARE-CNC,Win.Stealer.Lumma variant outbound connection attempt
+Lumma Stealer,64169,MALWARE-CNC,Win.Stealer.Lumma variant outbound connection attempt
+Lumma Stealer,64793,MALWARE-CNC,Win.Infostealer.LummaStealer variant outbound communication attempt
+Lumma Stealer,64794,MALWARE-CNC,Win.Infostealer.LummaStealer variant outbound communication attempt
+Lumma Stealer,64796,MALWARE-OTHER,Win.InfoStealer.LummaStealer outbound communication attempt
+Lumma Stealer,64797,MALWARE-CNC,Win.InfoStealer.LummaStealer variant outbound connection attempt
+Lumma Stealer,64798,MALWARE-CNC,Win.InfoStealer.LummaStealer variant outbound connection attempt
+Lumma Stealer,64799,MALWARE-CNC,Win.InfoStealer.LummaStealer variant outbound connection attempt
+Lumma Stealer,64800,MALWARE-CNC,Win.InfoStealer.LummaStealer variant outbound connection attempt
+Lumma Stealer,64801,MALWARE-CNC,Win.InfoStealer.LummaStealer variant outbound connection attempt
+Lumma Stealer,64810,MALWARE-OTHER,Win.Malware.Lumma variant powershell script download attempt
+Lumma Stealer,64811,MALWARE-OTHER,Win.Malware.Lumma variant powershell script download attempt
+Lumma Stealer,64812,MALWARE-OTHER,Win.Malware.Lumma variant malicious webpage popup attempt
+Nobelium,57687,MALWARE-OTHER,Win.Trojan.Nobelium malicious shortcut download attempt
+Nobelium,57688,MALWARE-OTHER,Win.Trojan.Nobelium ISO download attempt
+Nobelium,57689,MALWARE-OTHER,Win.Trojan.Nobelium malicious shortcut download attempt
+Nobelium,57690,MALWARE-OTHER,Win.Trojan.Nobelium ISO download attempt
+Nobelium,57691,MALWARE-OTHER,Win.Trojan.Nobelium CobaltStrike beacon download attempt
+Nobelium,57692,MALWARE-OTHER,Win.Trojan.Nobelium CobaltStrike beacon download attempt
+Quasar,50381,MALWARE-CNC,Win.Trojan.Quasar variant outbound connection
+Quasar,50382,MALWARE-CNC,Win.Trojan.Quasar variant outbound connection
+Quasar,50383,MALWARE-CNC,Win.Trojan.Quasar variant outbound connection
+Quasar,58358,MALWARE-CNC,Win.Trojan.Quasar variant outbound connection
+Remcos,47299,MALWARE-CNC,Win.Trojan.Remcos variant outbound connection
+Remcos,47300,MALWARE-CNC,Win.Trojan.Remcos variant inbound payload download
+Remcos,47301,MALWARE-CNC,Win.Trojan.Remcos variant outbound connection
+Remcos,47302,MALWARE-CNC,Win.Trojan.Remcos variant outbound connection
+Remcos,47303,MALWARE-CNC,Win.Trojan.Remcos variant outbound connection
+Remcos,47304,MALWARE-CNC,Win.Trojan.Remcos variant outbound connection
+Remcos,47305,MALWARE-CNC,Win.Trojan.Remcos variant outbound connection
+Remcos,52614,MALWARE-CNC,Win.Trojan.Remcos variant outbound connection detected
+Remcos,53792,MALWARE-CNC,Win.Malware.Remcos variant outbound cnc connection
+Remcos,53793,MALWARE-OTHER,Win.Dropper.Remcos payload download attempt
+Remcos,53794,MALWARE-OTHER,Win.Dropper.Remcos payload download attempt
+Remcos,53795,MALWARE-OTHER,Win.Dropper.Remcos payload download attempt
+Remcos,53796,MALWARE-OTHER,Win.Dropper.Remcos payload download attempt
+Remcos,54436,MALWARE-OTHER,Win.Packed.Remcos-8401633-0 download attempt
+Remcos,54437,MALWARE-OTHER,Win.Packed.Remcos-8401633-0 download attempt
+Remcos,54850,MALWARE-OTHER,Win.Dropper.Remcos-9446016-0 download attempt
+Remcos,54851,MALWARE-OTHER,Win.Dropper.Remcos-9446016-0 download attempt
+Remcos,54852,MALWARE-OTHER,Win.Dropper.Remcos-9446018-0 download attempt
+Remcos,54853,MALWARE-OTHER,Win.Dropper.Remcos-9446018-0 download attempt
+Remcos,56517,MALWARE-OTHER,Win.Dropper.Remcos-9801059-0 download attempt
+Remcos,56518,MALWARE-OTHER,Win.Dropper.Remcos-9801059-0 download attempt
+Remcos,57431,MALWARE-CNC,Win.Trojan.Remcos variant outbound connection
+Remcos,61674,MALWARE-OTHER,One.Dropper.Remcos variant binary download attempt
+Remcos,61675,MALWARE-OTHER,One.Dropper.Remcos variant binary download attempt
+Remcos,64183,MALWARE-OTHER,Win.Trojan.Remcos variant download attempt
+Remcos,64184,MALWARE-OTHER,Win.Trojan.Remcos variant download attempt
+snake,53106,MALWARE-OTHER,Win.Trojan.Snake malicious executable download attempt
+snake,53107,MALWARE-OTHER,Win.Trojan.Snake malicious executable download attempt
+snake,64072,MALWARE-CNC,Win.KeyLogger.Snake outbound connection
+snake,64073,MALWARE-OTHER,Win.KeyLogger.Snake download attempt
+Snake,7717,MALWARE-BACKDOOR,snake trojan runtime detection
+Xworm,62772,MALWARE-OTHER,Win.Trojan.Xworm download attempt
+Xworm,62773,MALWARE-OTHER,Win.Trojan.Xworm download attempt
+Xworm,62774,MALWARE-OTHER,Win.Trojan.Xworm download attempt
+Xworm,62775,MALWARE-OTHER,Win.Trojan.Xworm download attempt
+Xworm,64185,MALWARE-CNC,Win.Dropper.Xworm variant inbound communication
+Xworm,64186,MALWARE-CNC,Win.Dropper.Xworm variant inbound communication
+Xworm,64187,MALWARE-OTHER,Win.Dropper.Xworm variant download attempt
+Xworm,64188,MALWARE-OTHER,Win.Dropper.Xworm variant download attempt

lookups/cisco_snort_ids_to_threat_mapping.csv

@@ -0,0 +1,9 @@
+name: cisco_snort_ids_to_threat_mapping
+date: 2025-05-12
+version: 1
+id: f08ae6ce-d7a8-423e-a778-be7178a719f9
+author: Splunk Threat Research Team
+lookup_type: csv
+case_sensitive_match: false
+description: Mapping file of Snort IDs to Threats
+min_matches: 1

lookups/cisco_snort_ids_to_threat_mapping.yml

@@ -0,0 +1,12 @@
+threat,description,distinct_count_snort_ids
+AgentTesla,"AgentTesla is a widely used .NET-based infostealer that exfiltrates credentials, clipboard data, and keystrokes. It often spreads via phishing emails with malicious attachments.",2
+Amadey,"Amadey is a lightweight malware primarily used as a loader for deploying additional payloads. It collects system information and often works alongside other malware like SmokeLoader.",1
+AsyncRAT,"AsyncRAT is an open-source Remote Access Trojan (RAT) used for remote control, keylogging, and credential theft. It's commonly used by both amateurs and cybercriminals due to its ease of deployment.",1
+Chafer,"Chafer is an Iranian nation-state threat group known for cyberespionage against Middle Eastern and Western targets. They primarily target government and critical infrastructure using custom malware.",1
+DCRAT,"DCRAT (DarkCrystal RAT) is a modular Remote Access Trojan sold on Russian-speaking forums. It supports plugins for surveillance, data theft, and lateral movement.",2
+Lumma Stealer,"Lumma Stealer is a commercial credential stealer that exfiltrates browser data, cryptocurrency wallets, and autofill forms. It's often sold as malware-as-a-service (MaaS) to low-skilled actors.",3
+Nobelium,"Nobelium is a Russian APT group linked to the SolarWinds supply chain attack. Their operations focus on espionage and long-term access to high-value networks.",1
+Quasar,"Quasar is an open-source RAT that supports remote desktop, file exfiltration, and surveillance. While used legitimately by some, it's also abused in targeted attacks.",1
+Remcos,"Remcos (Remote Control & Surveillance) is a commercial RAT designed for remote access and data exfiltration. It's often distributed via phishing and malspam campaigns.",2
+Snake,"Snake, also known as Turla or Uroburos, is a sophisticated modular rootkit used for long-term espionage. It's linked to Russian state-sponsored actors and designed for stealth and persistence.",1
+Xworm,"Xworm is a customizable .NET-based stealer and RAT that exfiltrates credentials, files, and system data. It's sold on underground forums and used in commodity malware campaigns.",2

lookups/threat_snort_count.csv

@@ -0,0 +1,8 @@
+name: threat_snort_count
+date: 2025-05-13
+version: 1
+id: 48a35e07-ed5f-42f9-a5da-b7f2ab892e3c
+author: Bhavin Patel, Nasreddine Bencherchali, Splunk
+lookup_type: csv
+description: A list of threats and the number of distinct Snort IDs that should be fired to create an alert
+min_matches: 1

lookups/threat_snort_count.yml

@@ -1 +1 @@
-contentctl==5.5.2
+contentctl==5.5.3