Firewall detections

Identifies SMB traffic from external sources allowed through the firewall. Due to known vulnerabilities with the SMB protocol, this type of external traffic falls outside best practices.

Source table → firewall.all.traffic

Detects SMB traffic from internal to external sources allowed through the firewall.

SMB, or CIFS, is a workgroup protocol for file sharing intended to be used among trusted systems on an internal LAN. A number of risks are associated with internal systems connecting to untrusted external SMB servers, including exploit delivery, credential harvesting, and data exfiltration. SMB access should be limited to the enterprise network to prevent participation in unknown SMB related attacks. Limited exceptions may exist, such as file server access over extranet connections.
Due to known vulnerabilities with the SMB protocol, this type of external traffic falls outside best practices.

Source table → firewall.all.traffic

Identifies RDP traffic from external sources allowed through the firewall. This type of traffic may indicate an adversary is in possession of valid accounts and is accessing a host from outside the network.

It is recommended that external-facing systems have RDP disabled, or accounts set to a login lockout, to prevent brute force attacks.

Source table → firewall.all.traffic

Alerts when Fortinet Firewall detects a high risk application within the environment.

Source table → firewall.fortinet.traffic.forward

Detects excessive Palo Alto firewall authentication failures for a single IP within a short period of time.

Source table → firewall.paloalto.system