cisco-amp.rules

# Sagan cisco-amp.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************

# rules by "Brian Echeverry" <becheverry@quadrantsec.com>
# 2018/05/25
# Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/610/api/db-access/Database_Access/Schema-System.html
# These rules apply to Cisco AMP for endpoint events acquired via API

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Policy Update"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648130"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003874; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Scan Started"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|554696714"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003875; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Scan Completed, No Detections"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|554696715"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003876; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Scan Completed With Detections"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1091567628"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid:5003877; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Scan Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2165309453"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid:5003878; rev:2; metadata: updated_on 2024_06_13;)

#the use of username is mapped internally to string.  the .detection is not a username but something like 'Gen:Variant.Jatommy.3.3433'
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Threat Detected"; program:CISCO-AMP; content:"|22|event_type_id|22 3A|1090519054"; threshold:type suppress, track by_src&by_username, count 1, seconds 86400; json_map:"username",".detection"; json_map:"src_ip",".computer.network_addresses[].ip"; json_map:"dest_ip",".computer.external_ip"; normalize; classtype:suspicious-traffic; sid:5003879; rev:2; metadata: updated_on 2024_06_13;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Threat Quarantined"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648143"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003880; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Quarantine Failure"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260880"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid:5003881; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Threat Detected in Exclusion"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648145"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003882; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Quarantine Restore Requested"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|570425394"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003883; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Quarantined Item Restored"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648149"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003884; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Quarantine Restore Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260884"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid:5003885; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Quarantine Request Failed to be Delivered"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2181038130"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid:5003886; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Quarantined Item Deleted"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648152"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003887; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Failed to Delete From Quarantine"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260889"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid:5003888; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Attempting Quarantine Delete"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648151"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003889; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Cloud Recall Restore from Quarantine"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648154"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003890; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Cloud Recall Quarantine Successful"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648155"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003891; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Cloud Recall Restore from Quarantine Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260892"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003892; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Cloud Recall Quarantine Attempt Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260893"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid:5003893; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Install Started"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648158"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003894; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Install Failure"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260895"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid:5003895; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Uninstall"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648166"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003896; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Uninstall Failure"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260903"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid:5003897; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Email Confirmation"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1003"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003898; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Forgotten Password Reset"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1004"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003899; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Password Has Been Reset"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1005"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003900; rev:2; metadata: updated_on 2024_06_13;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Policy Update Failure"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260866"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid:5003901; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Cloud Recall Restore from Quarantine Started"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648146"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003902; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Cloud Recall Quarantine Started"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648147"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003903; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Execution Blocked"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648168"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003904; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Quarantine Restore Started"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648150"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003905; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Application Registered"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|570425396"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003906; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Application Deregistered"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|570425397"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003907; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Application Authorized"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|570425398"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003908; rev:2; metadata: updated_on 2024_06_13;)


#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Application Deauthorized"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|570425399"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid:5003914; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] APK Threat Detected"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090524040"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid:5003909; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] APK Custom Threat Detected"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090524041"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid:5003910; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] DFC Threat Detected"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519084"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid:5003911; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Multiple Infected Files"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296257"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid:5003912; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Potential Dropper Infection"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296258"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid:5003913; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Java compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296260"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003821; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Adobe Reader compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296261"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003822; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Microsoft Word compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296262"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003823; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Microsoft Excel compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296263"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003824; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Microsoft PowerPoint compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296264"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003825; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Java launched a shell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296265"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003826; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Adobe Reader launched a shell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296266"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003827; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Microsoft Word launched a shell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296267"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003828; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Microsoft Excel launched a shell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296268"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003829; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Microsoft PowerPoint launched a shell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296269"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003830; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Apple QuickTime compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296270"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003831; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Apple QuickTime launched a shell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296271"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003832; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Executed malware"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296272"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003833; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Suspected botnet connection"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296273"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003834; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Reboot Pending"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648170"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003835; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Reboot Completed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648171"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003836; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Generic IOC"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296274"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003837; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Microsoft Calculator compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296275"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003838; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Microsoft Notepad compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296276"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003839; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] File Fetch Completed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648173"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003840; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] File Fetch Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260910"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid: 5003841; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Endpoint IOC Scan Started"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|554696756"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003842; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Endpoint IOC Scan Completed, No Detections"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|554696757"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003843; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Endpoint IOC Scan Completed With Detections"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1091567670"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003844; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Endpoint IOC Scan Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2165309495"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid: 5003845; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Endpoint IOC Definition Update Failure"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260914"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid: 5003846; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Endpoint IOC Definition Update Success"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648179"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003847; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Endpoint IOC Configuration Update Failure"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260911"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid: 5003848; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Endpoint IOC Configuration Update Success"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648176"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003849; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Endpoint IOC Scan Detection Summary"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519089"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003850; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Connection to suspicious domain"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296277"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003851; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Threat Detected in Low Prevalence Executable"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296278"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003852; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Vulnerable Application Detected"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296279"; content:!"|22|severity|22 3a 22|Low|22|"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003853; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Suspicious Download"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296280"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003854; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Microsoft CHM Compromise"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296281"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003855; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Suspicious Cscript Launch"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296282"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003856; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Update: Reboot Required"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519096"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003857; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Update: Reboot Advised"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519097"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003858; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Update: Unexpected Reboot Required"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260922"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003859; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Product Update Failed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648137"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid: 5003860; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Product Update Started"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648135"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003861; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Product Update Completed"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648136"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003862; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Potential Ransomware"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296284"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003863; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Possible Webshell"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1107296283"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003864; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Exploit Prevention"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519103"; content:!"|22|application|22 3a 22|chrome.exe|22|"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003865; rev:3; metadata: updated_on 2024_07_08;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Critical Fault Raised"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|2164260931"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid: 5003866; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Major Fault Raised"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519107"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid: 5003867; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Minor Fault Raised"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648195"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-error; sid: 5003868; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Fault Cleared"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648196"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003869; rev:2; metadata: updated_on 2024_06_13;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] All Faults Cleared"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648197"; parse_src_ip: 2; parse_dst_ip: 1; classtype: system-event; sid: 5003870; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Rootkit Detection"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519081"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003871; rev:2; metadata: updated_on 2024_06_13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] iOS Network Detection"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|1090519102"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid: 5003872; rev:2; metadata: updated_on 2024_06_13;)
#2022-10-17 Bryant Smith
#Cisco Secure Endpoint - Formerly AMP for endpoints
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Exploit attempt was detected"; program:*CiscoSecureEndpoint*|CISCO-AMP; content:"102: An exploit attempt was detected"; classtype:trojan-activity; sid:5008352; rev:2; metadata: updated_on 2024_06_13;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Exploit attempt was prevented"; program:*CiscoSecureEndpoint*|CISCO-AMP; content:"100: An exploit attempt was prevented"; classtype:trojan-activity; sid:5008355; rev:2; metadata: updated_on 2024_06_13;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Event Engine Detection"; program:*CiscoSecureEndpoint*|CISCO-AMP; content:"401: {Description: EVENT_ENGINE_DETECTION_RESULT"; classtype:trojan-activity; sid:5008356; rev:2; metadata: updated_on 2024_06_13;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Threat Detected"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648222"; parse_src_ip: 2; parse_dst_ip: 1; classtype: suspicious-traffic; sid:5014313; rev:2; metadata: updated_on 2024_06_13;)

alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Endpoint Isolation Start Success"; program:CISCO-AMP; content:"|22|event_type_id|22 3A|553648202"; parse_src_ip: 2; parse_dst_ip: 1; reference:url,https://www.cisco.com/c/en/us/td/docs/security/firepower/610/api/db-access/Database_Access/Schema-System.html; classtype:suspicious-traffic; sid:5014545; rev:2; metadata: updated_on 2024_06_13;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-SECUREENDPOINT] Endpoint Isolation Stop Success"; program: CISCO-AMP; content: "|22|event_type_id|22 3A|553648204"; parse_src_ip: 2; parse_dst_ip: 1; reference:url,https://www.cisco.com/c/en/us/td/docs/security/firepower/610/api/db-access/Database_Access/Schema-System.html; classtype:system-event; sid:5014546; rev:2; metadata: updated_on 2024_06_13;)