MATCH-S00667.md

Rules: Medium Severity Intrusion Signature

Description

This rule looks for an intrusion product detecting a medium severity intrusion signature sourcing from an internal IP.

Additional Details

Detail	Value
Type	Templated Match
Category	Discovery
Apply Risk to Entities	srcDevice_hostname, srcDevice_ip, user_username
Signal Name	{{metadata_vendor}} {{metadata_product}} Medium Severity Intrusion Signature
Summary Expression	Medium Severity Intrusion Signature detected: {{threat_name}} from IP: {{srcDevice_ip}}
Score/Severity	Static: 2
Enabled by Default	True
Prototype	False
Tags	_mitreAttackTactic:TA0007, _mitreAttackTechnique:T1046

Vendors and Products

• Amazon AWS - Network Firewall
• CheckPoint - SmartDefense
• Cisco Systems - ASA
• Cisco Systems - Firepower
• Cisco Systems - Meraki
• Fortinet - Fortigate
• OISF - Suricata IDS
• Palo Alto Networks - Next Generation Firewall

Fields Used

Origin	Field
Normalized Schema	listMatches
Normalized Schema	metadata_product
Normalized Schema	metadata_vendor
Normalized Schema	normalizedSeverity
Normalized Schema	srcDevice_hostname
Normalized Schema	srcDevice_ip
Normalized Schema	srcDevice_ip_isInternal
Normalized Schema	threat_ruleType
Normalized Schema	user_username