Connection Analysis¶
Sub-Section: FTD Forensics
Source: FTD Connection Event Deep Dive
Overview¶
Connection analysis provides detailed forensic examination of network sessions, application traffic, and communication patterns through Firepower Threat Defense. This chapter focuses on advanced connection event analysis for security investigations.
Connection Event Schema¶
Key Fields:
| Field | Description | Forensic Value |
|---|---|---|
timestamp |
Connection start/end time | Timeline reconstruction |
sourceIP |
Originating IP address | Attacker identification |
sourcePort |
Source port number | Client identification |
destinationIP |
Target IP address | C2 server, exfil destination |
destinationPort |
Destination port/service | Service targeted |
protocol |
TCP/UDP/ICMP | Protocol analysis |
bytes_sent / bytes_received |
Data volume | Data exfiltration detection |
application |
Detected application (AVC) | Application visibility |
action |
Allow/Block/Drop | Policy enforcement |
user |
Identity (ISE integration) | User attribution |
ssl_policy |
SSL inspection action | Encrypted traffic visibility |
url |
HTTP/HTTPS URL | Web activity tracking |
duration |
Connection duration | Long-lived connection detection |
Data Exfiltration Detection¶
Large Volume Transfers:
index=firewall sourcetype=cisco:ftd:connection
earliest=-24h latest=now
action=allowed direction=outbound
| stats sum(bytes_sent) as total_bytes, count as conn_count by src_ip, dest_ip, application
| where total_bytes > 536870912 /* 512 MB threshold */
| eval total_mb=round(total_bytes/1048576, 2)
| sort -total_mb
| table src_ip, dest_ip, application, conn_count, total_mb
HTTPS Tunnel Analysis:
# Detect sustained HTTPS connections (potential C2 or exfiltration tunnel)
index=firewall sourcetype=cisco:ftd:connection
dest_port=443 OR dest_port=8443
| where duration > 3600 /* connections > 1 hour */
| stats sum(bytes_sent) as sent, sum(bytes_received) as recv, avg(duration) as avg_duration by src_ip, dest_ip
| where sent > 104857600 /* 100 MB sent threshold */
| eval sent_mb=round(sent/1048576, 2), recv_mb=round(recv/1048576, 2)
| sort -sent_mb
Command & Control (C2) Detection¶
Beaconing Detection:
# Identify periodic outbound connections (potential C2 beacons)
index=firewall sourcetype=cisco:ftd:connection
earliest=-24h latest=now
direction=outbound
| bin _time span=5m
| stats count by _time, src_ip, dest_ip
| eventstats avg(count) as avg_conn, stdev(count) as stdev_conn by src_ip, dest_ip
| where count > (avg_conn + (2*stdev_conn)) /* Anomaly detection */
| table _time, src_ip, dest_ip, count
Suspicious Domain Patterns:
index=firewall sourcetype=cisco:ftd:connection
earliest=-7d latest=now
| rex field=url "(?<domain>[^/]+)"
| where match(domain, "^[a-z0-9]{20,}\.com$") /* DGA-generated domains */
| stats count by domain, src_ip
| sort -count
Lateral Movement Analysis¶
Internal SMB Activity:
index=firewall sourcetype=cisco:ftd:connection
dest_port=445 OR dest_port=139
src_ip=10.* dest_ip=10.* /* Internal-to-internal */
| stats count, values(dest_ip) as targets by src_ip, user
| where count > 10 /* More than 10 SMB targets */
| sort -count
RDP Connections:
index=firewall sourcetype=cisco:ftd:connection
dest_port=3389
| stats count, values(dest_ip) as rdp_targets, dc(dest_ip) as unique_targets by src_ip, user
| where unique_targets > 5
| sort -count
WinRM / PowerShell Remoting:
index=firewall sourcetype=cisco:ftd:connection
dest_port=5985 OR dest_port=5986
| stats count, values(dest_ip) as targets by src_ip
| sort -count
Application Visibility & Control (AVC)¶
Unauthorized Applications:
index=firewall sourcetype=cisco:ftd:connection
earliest=-24h latest=now
application!=unknown
| stats sum(bytes_sent) as total_bytes, count by application, user
| where application IN ("BitTorrent", "TeamViewer", "TOR", "Cryptocurrency", "Remote-Access")
| eval total_mb=round(total_bytes/1048576, 2)
| sort -total_mb
Application Risk Analysis:
index=firewall sourcetype=cisco:ftd:connection
| stats sum(bytes_sent) as sent, sum(bytes_received) as recv by application, application_risk
| where application_risk IN ("High", "Very High")
| eval sent_gb=round(sent/1073741824, 2), recv_gb=round(recv/1073741824, 2)
| sort -sent_gb
Geo-IP Analysis¶
Connections to High-Risk Countries:
index=firewall sourcetype=cisco:ftd:connection
earliest=-7d latest=now
direction=outbound
| iplocation dest_ip
| where Country IN ("CN", "RU", "KP", "IR") /* High-risk countries */
| stats sum(bytes_sent) as sent, count by src_ip, Country, dest_ip
| eval sent_mb=round(sent/1048576, 2)
| sort -sent_mb
Long-Lived Connections¶
Detect Persistent Connections:
index=firewall sourcetype=cisco:ftd:connection
| where duration > 86400 /* > 24 hours */
| stats values(dest_ip) as destinations, avg(duration) as avg_duration by src_ip, application
| eval avg_hours=round(avg_duration/3600, 1)
| sort -avg_hours
User Attribution¶
Top Users by Bandwidth:
index=firewall sourcetype=cisco:ftd:connection
user!=unknown
| stats sum(bytes_sent) as sent, sum(bytes_received) as recv by user, application
| eval total_gb=round((sent+recv)/1073741824, 2)
| sort -total_gb
| head 20
After-Hours Activity:
index=firewall sourcetype=cisco:ftd:connection
earliest=-7d latest=now
user!=unknown
| eval hour=strftime(_time, "%H")
| where hour < 06 OR hour > 20 /* Outside 6 AM - 8 PM */
| stats sum(bytes_sent) as sent by user, hour, application
| eval sent_gb=round(sent/1073741824, 2)
| sort -sent_gb
Connection Correlation with Endpoint Events¶
Cross-Reference with AMP:
# Find network connections from infected endpoints
index=firewall sourcetype=cisco:ftd:connection
[search index=endpoint sourcetype=cisco:amp:event disposition=malicious
| return src_ip]
| stats count, values(dest_ip) as contacted_servers by src_ip, application
| sort -count
Forensic Reporting¶
Executive Summary:
index=firewall sourcetype=cisco:ftd:connection
earliest=-30d latest=now
| stats
count as total_connections,
dc(src_ip) as unique_sources,
dc(dest_ip) as unique_destinations,
sum(bytes_sent) as total_sent,
sum(bytes_received) as total_received
by action
| eval total_sent_tb=round(total_sent/1099511627776, 2),
total_received_tb=round(total_received/1099511627776, 2)