Product
Prohibited Network Traffic Allowed
2 rules 1 TTPThis analytic detects instances where prohibited network traffic is allowed, highlighting potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration, ultimately allowing attackers to bypass network defenses.
Cisco Privileged Account Creation with Suspicious SSH Activity
3 rules 2 TTPsThis analytic detects a correlation between privileged account creation on Cisco IOS devices and subsequent inbound SSH connections to non-standard ports or sshd_operns, indicating persistence establishment following initial compromise.
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
2 rules 3 TTPsThis analytic detects internal systems generating an unusually high volume of intrusion detections within a 30-minute window using Cisco Secure Firewall Threat Defense logs, identifying hosts triggering more than 15 Snort-based signatures, which may indicate suspicious activity like malware execution, command-and-control communication, vulnerability scanning, or lateral movement.
Multiple Vulnerabilities in Cisco Products Allow for Remote Code Execution
2 rules 4 TTPs 3 CVEsMultiple vulnerabilities in Cisco ASA, Secure Firewall Threat Defense, IOS, IOS XE, and IOS XR allow a remote attacker to bypass authentication and execute arbitrary code with administrator privileges.
Outbound SMB Traffic Detection
2 rules 1 TTPThis analytic detects outbound SMB connections from internal hosts to external servers, potentially indicating lateral movement and credential theft attempts.