MATCH-S00669.md

Rules: Informational Severity Intrusion Signature

Description

This rule looks for an intrusion product detecting an informational severity intrusion signature sourcing from an internal IP.

Additional Details

Detail	Value
Type	Templated Match
Category	Discovery
Apply Risk to Entities	srcDevice_hostname, srcDevice_ip, user_username
Signal Name	{{metadata_vendor}} {{metadata_product}} Informational Severity Intrusion Signature
Summary Expression	Informational Severity Intrusion Signature detected: {{threat_name}} from IP: {{srcDevice_ip}}
Score/Severity	Static: 0
Enabled by Default	True
Prototype	False
Tags	_mitreAttackTactic:TA0007, _mitreAttackTechnique:T1046

Vendors and Products

• CheckPoint - SmartDefense
• Cisco Systems - ASA
• Cisco Systems - Firepower
• Cisco Systems - Meraki
• Fortinet - Fortigate
• McAfee - Network Security
• Palo Alto Networks - Next Generation Firewall

Fields Used

Origin	Field
Normalized Schema	listMatches
Normalized Schema	metadata_product
Normalized Schema	metadata_vendor
Normalized Schema	normalizedSeverity
Normalized Schema	srcDevice_hostname
Normalized Schema	srcDevice_ip
Normalized Schema	srcDevice_ip_isInternal
Normalized Schema	threat_ruleType
Normalized Schema	user_username