{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/anomaly_detection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Secure Firewall Threat Defense","Splunk Enterprise","Splunk Cloud","Splunk Enterprise Security"],"_cs_severities":["medium"],"_cs_tags":["network","intrusion_detection","anomaly_detection"],"_cs_type":"threat","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThis analytic detects internal systems generating an unusually high volume of intrusion detections within a 30-minute window. It leverages Cisco Secure Firewall Threat Defense logs, specifically focusing on the IntrusionEvent event type, to identify hosts that trigger more than 15 Snort-based signatures during that time. A sudden spike in intrusion alerts originating from a single host may indicate suspicious or malicious activity such as malware execution, command-and-control communication, vulnerability scanning, or lateral movement. In some cases, this behavior may also be caused by misconfigured or outdated software repeatedly tripping detection rules. Systems exhibiting this pattern should be triaged promptly, as repeated Snort rule matches from a single source are often early indicators of compromise, persistence, or active exploitation attempts. The detection utilizes the Splunk Add-on for Cisco Security Cloud.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an internal system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe compromised system begins scanning the internal network for vulnerable services (T1595.002).\u003c/li\u003e\n\u003cli\u003eThe vulnerability scanning triggers multiple Snort intrusion detection signatures on the Cisco Secure Firewall.\u003c/li\u003e\n\u003cli\u003eMalware executes on the compromised system, attempting to establish command and control communication (T1071).\u003c/li\u003e\n\u003cli\u003eThe command and control communication generates network traffic patterns that match Snort signatures.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts lateral movement to other systems on the network (T1059).\u003c/li\u003e\n\u003cli\u003eEach attempt to move laterally triggers additional intrusion events.\u003c/li\u003e\n\u003cli\u003eThe Cisco Secure Firewall logs these IntrusionEvent events, which are aggregated and analyzed by Splunk.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to data exfiltration, system compromise, and disruption of services. A high volume of intrusion events originating from a single host may indicate that an attacker has gained a foothold within the network and is actively engaged in malicious activity. This can result in significant financial losses, reputational damage, and legal liabilities. The longer the attacker remains undetected, the greater the potential for damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Cisco Secure Firewall Threat Defense is properly configured to log IntrusionEvent events as described in the \u003ca href=\"https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf\"\u003eCisco documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall and configure the Splunk Add-on for Cisco Security Cloud to ingest the Cisco Secure Firewall Threat Defense logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Secure Firewall - High Volume of Intrusion Events Per Host\u003c/code\u003e to your Splunk environment and tune the threshold (TotalEvents \u0026gt;= 15) based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any systems that trigger a high volume of intrusion events, focusing on potential malware infections, unauthorized access, and vulnerability scanning.\u003c/li\u003e\n\u003cli\u003eUse the provided drilldown searches to view the detection results and risk events associated with the source IP address.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:44:03Z","date_published":"2026-05-28T17:44:03Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cisco-high-intrusion-events/","summary":"This analytic detects internal systems generating an unusually high volume of intrusion detections within a 30-minute window using Cisco Secure Firewall Threat Defense logs, identifying hosts triggering more than 15 Snort-based signatures, which may indicate suspicious activity like malware execution, command-and-control communication, vulnerability scanning, or lateral movement.","title":"Cisco Secure Firewall - High Volume of Intrusion Events Per Host","url":"https://feed.craftedsignal.io/briefs/2026-05-cisco-high-intrusion-events/"}],"language":"en","title":"CraftedSignal Threat Feed — Anomaly_detection","version":"https://jsonfeed.org/version/1.1"}