-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathcisco-sca-alarms.rules
162 lines (160 loc) · 54 KB
/
cisco-sca-alarms.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# Sagan cisco-sca-alarms.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# rules by "Bryant Smith" <[email protected]>
# 12/20/2022
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Abnormal User"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Abnormal User|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010498; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Amplification Attack"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Amplification Attack|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010499; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Anomalous AWS Workspace"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Anomalous AWS Workspace|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010500; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Anomalous Mac Workstation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Anomalous Mac Workstation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010501; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Anomalous Windows Workstation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Anomalous Windows Workstation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010502; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Attendance Drop"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Attendance Drop|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010503; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS API Watchlist IP Hit"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS API Watchlist IP Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010504; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Config Rule Violation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS Config Rule Violation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010505; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Console Login Failures"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS Console Login Failures|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010506; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Detector Modified"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS Detector Modified|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010507; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS EC2 Startup Script Modified"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS EC2 Startup Script Modified|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010508; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS ECS Credential Access"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS ECS Credential Access|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010509; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS IAM Anywhere"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS IAM Anywhere|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010510; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Trust Anchor Created"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Trust Anchor Created|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010511; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Inspector Finding"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS Inspector Finding|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010512; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Lambda Invocation Spike"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS Lambda Invocation Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010513; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Lambda Persistence"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS Lambda Persistence|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010514; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Logging Deleted"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS Logging Deleted|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010515; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Multifactor Authentication Change"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS Multifactor Authentication Change|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010516; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Overlapping Subnet"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS Overlapping Subnet|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010517; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Root Account Used"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS Root Account Used|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010518; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Snapshot Exfiltration"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS Snapshot Exfiltration|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010519; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] AWS Temporary Token Persistence"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|AWS Temporary Token Persistence|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010520; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Activity Log IP Watchlist Hit"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Activity Log IP Watchlist Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010521; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Activity Log Watchlist Hit"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Activity Log Watchlist Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010522; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Advisor Watchlist"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Advisor Watchlist|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010523; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Exposed Services"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Exposed Services|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010524; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Firewall Deleted"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Firewall Deleted|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010525; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Function Invocation Spike"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Function Invocation Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010526; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Key Vaults Deleted"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Key Vaults Deleted|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010527; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Network Security Group"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Network Security Group|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010528; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure OAuth Bypass"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure OAuth Bypass|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010529; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Permissive Security Group"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Permissive Security Group|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010530; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Permissive Storage Account"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Permissive Storage Account|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010531; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Resource Group Deleted"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Resource Group Deleted|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010532; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Security Event"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Security Event|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010533; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Transfer Data To Cloud Account"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Transfer Data To Cloud Account|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010534; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Azure Virtual Machine in Unused Location"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Azure Virtual Machine in Unused Location|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010535; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] CloudTrail Watchlist Hit"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|CloudTrail Watchlist Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010536; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Confirmed Threat Watchlist Hit"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Confirmed Threat Watchlist Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010537; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Country Set Deviation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Country Set Deviation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010538; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Critical Severity Cloud Posture Watchlist Hit"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Critical Severity Cloud Posture Watchlist Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010539; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] DNS Abuse"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|DNS Abuse|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010540; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Domain Generation Algorithm Successful Lookup"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Domain Generation Algorithm Successful Lookup|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010541; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Email Spam Alert"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Email Spam Alert|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010542; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Emergent Profile"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Emergent Profile|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010543; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Empire Command and Control"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Empire Command and Control|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010544; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Exceptional Domain Controller"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Exceptional Domain Controller|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010545; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Excessive Access Attempts (External)"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Excessive Access Attempts (External)|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010546; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Excessive Connections to Network Printers"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Excessive Connections to Network Printers|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010547; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] GCP Cloud Function Invocation Spike"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|GCP Cloud Function Invocation Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010548; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] GCP Stackdriver Logging Watchlist Hit"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|GCP Stackdriver Logging Watchlist Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010549; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Geographically Unusual AWS API Usage"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Geographically Unusual AWS API Usage|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010550; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Geographically Unusual Azure API Usage"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Geographically Unusual Azure API Usage|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010551; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Geographically Unusual Remote Access"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Geographically Unusual Remote Access|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010552; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Heartbeat Connection Count"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Heartbeat Connection Count|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010553; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] High Bandwidth Unidirectional Traffic"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|High Bandwidth Unidirectional Traffic|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010554; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] High Severity Cloud Posture Watchlist Hit"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|High Severity Cloud Posture Watchlist Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010555; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] ICMP Abuse"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|ICMP Abuse|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010556; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] IDS Emergent Profile"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|IDS Emergent Profile|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010557; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] IDS Notice Spike"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|IDS Notice Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010558; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Inbound Port Scanner"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Inbound Port Scanner|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010559; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Internal Connection Spike"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Internal Connection Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010560; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Internal Connection Watchlist Hit"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Internal Connection Watchlist Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010561; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Internal Port Scanner"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Internal Port Scanner|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010562; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] LDAP Connection Spike"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|LDAP Connection Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010563; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Low Severity Cloud Posture Watchlist Hit"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Low Severity Cloud Posture Watchlist Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010564; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Malware Spike"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Malware Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010565; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Medium Severity Cloud Posture Watchlist Hit"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Medium Severity Cloud Posture Watchlist Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010566; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Meterpreter Command and Control Success"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Meterpreter Command and Control Success|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010567; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Missing Sumo Logic Log"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Missing Sumo Logic Log|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010568; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] NetBIOS Connection Spike"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|NetBIOS Connection Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010569; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Network Population Spike"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Network Population Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010570; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Network Printer with Excessive Connections"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Network Printer with Excessive Connections|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010571; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New AWS Lambda Invoke Permission Added"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|New AWS Lambda Invoke Permission Added|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010572; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New AWS Region"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|New AWS Region|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010573; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New AWS Route53 Target"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|New AWS Route53 Target|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010574; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New External Connection"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|New External Connection|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010575; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New Internal Device"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|New Internal Device|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010576; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New IP Scanner"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|New IP Scanner|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010577; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New Long Sessions (Geographic)"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|New Long Sessions (Geographic)|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010578; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New Remote Access"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|New Remote Access|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010579; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New SNMP Sweep"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|New SNMP Sweep|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010580; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] New Unusual DNS Resolver"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|New Unusual DNS Resolver|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010581; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Non-Service Port Scanner"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Non-Service Port Scanner|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010582; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Outbound LDAP Spike"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Outbound LDAP Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010583; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Outbound SMB Spike"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Outbound SMB Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010584; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Outbound Traffic Spike"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Outbound Traffic Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010585; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Permissive Amazon Elastic Kubernetes Service Cluster Created"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Permissive Amazon Elastic Kubernetes Service Cluster Created|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010586; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Permissive AWS S3 Access Control List"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Permissive AWS S3 Access Control List|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010587; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Permissive AWS Security Group Created"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Permissive AWS Security Group Created|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010588; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Persistent Remote Control Connections"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Persistent Remote Control Connections|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010589; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Potential Data Exfiltration"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Potential Data Exfiltration|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010590; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Potential Database Exfiltration"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Potential Database Exfiltration|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010591; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Potentially Harmful Hidden File Extension"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Potentially Harmful Hidden File Extension|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010592; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Potentially Vulnerable Remote Control Protocol"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Potentially Vulnerable Remote Control Protocol|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010593; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Protocol Forgery"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Protocol Forgery|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010594; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Protocol Violation (Geographic)"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Protocol Violation (Geographic)|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010595; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Public Amazon Route 53 Hosted Zone Created"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Public Amazon Route 53 Hosted Zone Created|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010596; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Public Facing IP Watchlist Match"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Public Facing IP Watchlist Match|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010597; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Remote Access (Geographic)"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Remote Access (Geographic)|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010598; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Repeated Umbrella Sinkhole Communications"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Repeated Umbrella Sinkhole Communications|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010599; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Repeated Watchlist Communications"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Repeated Watchlist Communications|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010600; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Role Violation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Role Violation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010601; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] S3 Bucket Lifecycle Configured"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|S3 Bucket Lifecycle Configured|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010602; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] SMB Connection Outlier"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|SMB Connection Outlier|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010603; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] SMB Connection Spike"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|SMB Connection Spike|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010604; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Stale AWS Access Key"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Stale AWS Access Key|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010605; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Static Device Connection Deviation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Static Device Connection Deviation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010606; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Static Device Deviation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Static Device Deviation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010607; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspected Botnet Interaction"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Suspected Botnet Interaction|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010608; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspected Cryptocurrency Activity"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Suspected Cryptocurrency Activity|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010609; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspected Malicious URL"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Suspected Malicious URL|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010610; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspected Phishing Domain"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Suspected Phishing Domain|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010611; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspected Port Abuse (External)"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Suspected Port Abuse (External)|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010612; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspected Remote Access Tool Heartbeat"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Suspected Remote Access Tool Heartbeat|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010613; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspected Zerologon RPC Exploit Attempt"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Suspected Zerologon RPC Exploit Attempt|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010614; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspicious DNS Over HTTPS Activity"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Suspicious DNS Over HTTPS Activity|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010615; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspicious Domain Lookup Failures"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Suspicious Domain Lookup Failures|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010616; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspicious SMB Activity"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Suspicious SMB Activity|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010617; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Suspicious User Agent"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Suspicious User Agent|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010618; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Talos Intelligence Watchlist Hits"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Talos Intelligence Watchlist Hits|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010619; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] TrickBot AnchorDNS Tunneling"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|TrickBot AnchorDNS Tunneling|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010620; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Unused AWS Resource"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Unused AWS Resource|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010621; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Unusual DNS Connection"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Unusual DNS Connection|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010622; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Unusual External Server"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Unusual External Server|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010623; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Unusual File Extension From New External Server"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Unusual File Extension From New External Server|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010624; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Unusually Large EC2 Instance"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Unusually Large EC2 Instance|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010625; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] User Watchlist Hit"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|User Watchlist Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010626; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Vulnerable Transport Security Protocol"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Vulnerable Transport Security Protocol|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010627; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Watchlist Hit"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Watchlist Hit|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010628; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CISCO-SCA] Worm Propagation"; program:cisco-sca_data; content:"|22|cisco_sca_data_type|22 3a 20 22|alert|22|"; content:"|22|type|22 3a 20 22|Worm Propagation|22|"; classtype:trojan-activity; reference:url,www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/cloud/reference/Alerts_and_Observations_DV_2_4.pdf; sid:5010629; rev:1;)