The Splunk Threat Research Team has partnered with Cisco Talos to release new analytic stories and detections that significantly improve TDIR efforts for Cisco Secure Firewall alerts. These new ESCU detections go beyond basic alert forwarding and simple string matching to enable advanced detection logic and richer story creation by integrating Snort-based and non-Snort telemetry. Additionally, this content strengthens the ability to detect vulnerability exploitation and track threat actor follow-up activity. This release marks the first in a series focused on expanding ESCU's network detection coverage for Cisco products, driven through continued collaboration between the Splunk Threat Research Team and Cisco Talos team.

Here's a summary of the latest updates:

Cisco Secure Firewall Threat Defense Analytics: We published a new analytic story and added new detections for Cisco Secure Firewall focusing on three primary event types—file events, network connections, and intrusion alerts. These detections identify activity such as malicious or uncommon file downloads, connections over suspicious ports or to file-sharing domains, and Snort rule-based intrusion events across multiple hosts. This enables broader visibility into network-based threats and host-level indicators of compromise.

AWS Bedrock Security: Released a new analytic story to monitor for adversary techniques targeting AWS Bedrock, a managed service used to build and scale generative AI applications. This includes detections for the deletion of security guardrails, knowledge bases, and logging configurations, as well as high volumes of model invocation failures.

Mapping Threat Campaigns: Several detections have been mapped to known threat actors and malware campaigns, including Cactus Ransomware, Earth Alux, Storm-2460 CLFS Zero Day Exploitation and Water Gamayun, to improve attribution to TTPs and provide insights into observed behaviors.

New Detections: Introduced additional detections for tactics such as directory path manipulation via MSC files, IP address collection using PowerShell Invoke-RestMethod, process spawning from CrushFTP, and deletion of Volume Shadow Copies via WMIC. These detections target adversary behavior related to discovery, lateral movement, and anti-forensics.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

1. AWS Bedrock Security
2. Cactus Ransomware
3. Cisco Secure Firewall Threat Defense Analytics
4. Earth Alux
5. Storm-2460 CLFS Zero Day Exploitation
6. Water Gamayun

1. AWS Bedrock Delete GuardRails
2. AWS Bedrock Delete Knowledge Base
3. AWS Bedrock Delete Model Invocation Logging Configuration
4. AWS Bedrock High Number List Foundation Model Failures
5. AWS Bedrock Invoke Model Access Denied
6. Cisco Secure Firewall - Binary File Type Download
7. Cisco Secure Firewall - Bits Network Activity
8. Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
9. Cisco Secure Firewall - Blocked Connection
10. Cisco Secure Firewall - Communication Over Suspicious Ports
11. Cisco Secure Firewall - Connection to File Sharing Domain
12. Cisco Secure Firewall - File Download Over Uncommon Port
13. Cisco Secure Firewall - High EVE Threat Confidence
14. Cisco Secure Firewall - High Volume of Intrusion Events Per Host
15. Cisco Secure Firewall - Malware File Downloaded
16. Cisco Secure Firewall - Potential Data Exfiltration
17. Cisco Secure Firewall - Rare Snort Rule Triggered
18. Cisco Secure Firewall - Repeated Blocked Connections
19. Cisco Secure Firewall - Repeated Malware Downloads
20. Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
21. Cisco Secure Firewall - Wget or Curl Download
22. CrushFTP Authentication Bypass Exploitation
23. CrushFTP Max Simultaneous Users From IP
24. Windows MSC EvilTwin Directory Path Manipulation
25. Windows PowerShell Invoke-RestMethod IP Information Collection
26. Windows Shell Process from CrushFTP
27. Windows WMIC Shadowcopy Delete

• Reverted several searches to use | join instead of prestats = t due to bugs encountered in the search logic.
• Removed Detections - As notified in the ESCU v5.2.0 release, we have removed some detections and you must use the replacements, where appropriate. We have also deprecated a new set of detections that are scheduled to be removed from the ESCU v5.6.0.
• Updated deprecation_info lookup to have the latest information about the deprecated and removed detections.