update snort lookup

Author: nasbench

detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml

@@ -1,25 +1,27 @@
 name: Cisco Secure Firewall - Intrusion Events by Threat Activity
 id: b71e57e8-c571-4ff1-ae13-bc4384a9e891
-version: 4  
-date: '2025-09-25'
+version: 5
+date: '2025-12-08'
 author: Bhavin Patel, Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
 description: |
-  This analytic detects intrusion events from known threat activity using Cisco Secure Firewall Intrusion Events. 
-  It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where one or multiple Snort signatures 
-  associated with a known threat or threat actor activity have been triggered within a one-hour time window. The detection uses a 
-  lookup table (cisco_snort_ids_to_threat_mapping) to map Snort signature IDs to known threat actors and their techniques. 
-  When multiple signatures associated with the same threat actor are triggered within the time window, and the count of 
-  unique signatures matches or exceeds the expected number of signatures for that threat technique, an alert is generated. 
-  This helps identify potential coordinated threat activity in your network environment by correlating related intrusion 
+  This analytic detects intrusion events from known threat activity using Cisco Secure Firewall Intrusion Events.
+  It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where one or multiple Snort signatures
+  associated with a known threat or threat actor activity have been triggered within a one-hour time window. The detection uses a
+  lookup table (cisco_snort_ids_to_threat_mapping) to map Snort signature IDs to known threat actors and their techniques.
+  When multiple signatures associated with the same threat actor are triggered within the time window, and the count of
+  unique signatures matches or exceeds the expected number of signatures for that threat technique, an alert is generated.
+  This helps identify potential coordinated threat activity in your network environment by correlating related intrusion
   events that occur in close temporal proximity.
 
   Currently, this detection will alert on the following threat actors or malware families as defined in the cisco_snort_ids_to_threat_mapping lookup:
+
   * ArcaneDoor
   * Static Tundra
   * AgentTesla
   * Amadey
+  * CastleRAT
   * AsyncRAT
   * Chafer
   * DCRAT
@@ -28,6 +30,7 @@ description: |
   * Quasar
   * Remcos
   * Snake
+  * Static Tundra
   * Xworm
 
   To add or update threat actors, update the cisco_snort_ids_to_threat_mapping.csv lookup file with new or modified threat names and associated Snort signature IDs.
@@ -80,7 +83,7 @@ rba:
     - field: signature
       type: signature
 tags:
-  analytic_story: 
+  analytic_story:
     - Cisco Secure Firewall Threat Defense Analytics
     - ArcaneDoor
   asset_type: Network
@@ -97,4 +100,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.log
     source: not_applicable
-    sourcetype: cisco:sfw:estreamer
+    sourcetype: cisco:sfw:estreamer

lookups/cisco_snort_ids_to_threat_mapping.csv

@@ -18,6 +18,7 @@ Amadey,60570,MALWARE-TOOLS,Win.Trojan.Amadey malware tools download attempt
 Amadey,60571,MALWARE-TOOLS,Win.Trojan.Amadey malware tools download attempt
 Amadey,60572,MALWARE-TOOLS,Win.Trojan.Amadey malware tools download attempt
 AsyncRAT,58773,MALWARE-CNC,Rat.Trojan.AsyncRAT variant cnc connection
+CastleRAT,65548,MALWARE-CNC,Win.Trojan.CastleRAT variant outbound IP geolocation lookup attempt
 Chafer,45972,MALWARE-CNC,Win.Trojan.Chafer malicious communication attempt
 Chafer,45973,MALWARE-CNC,Win.Trojan.Chafer malicious communication attempt
 DCRAT,58356,MALWARE-CNC,Win.Trojan.DCRAT variant outbound connection

lookups/cisco_snort_ids_to_threat_mapping.yml

@@ -1,6 +1,6 @@
 name: cisco_snort_ids_to_threat_mapping
-date: 2025-09-24
-version: 3
+date: 2025-12-08
+version: 4
 id: f08ae6ce-d7a8-423e-a778-be7178a719f9
 author: Bhavin Patel, Nasreddine Bencherchali, Splunk Threat Research Team
 lookup_type: csv