Document toolboxDocument toolbox

Firewall detections

Firewalls are network security devices that monitor incoming and outgoing network traffic. Firewalls have been on the defensive line for security for over 25 years. The traffic monitoring enables firewalls to be able to allow and block specific traffic baed on a defined set of rules. Firewall data is ingested into Devo from a large number of vendors and aggregated into firewall.all.traffic tables.   

Firewalls can be hardware, software, or both. In any deployment model firewalls establish a barrier between secured and controlled internal networks, separating trusted and untrusted networks. 

Identifies SMB traffic from external sources allowed through the firewall. Due to known vulnerabilities with the SMB protocol, this type of external traffic falls outside best practices.

Source table → firewall.all.traffic

Detects SMB traffic from internal to external sources allowed through the firewall.

Source table → firewall.all.traffic

Identifies RDP traffic from external sources allowed through the firewall. This type of traffic may indicate an adversary is in possession of valid accounts and is accessing a host from outside the network.

Source table → firewall.all.traffic

Alerts when Fortinet Firewall detects a high risk application within the environment.

Source table → firewall.fortinet.traffic.forward

Detects excessive Palo Alto firewall authentication failures for a single IP within a short period of time.

Source table → firewall.paloalto.system