Firewall detections

Firewalls are network security devices that monitor incoming and outgoing network traffic. Firewalls have been on the defensive line for security for over 25 years. The traffic monitoring enables firewalls to be able to allow and block specific traffic baed on a defined set of rules. Firewall data is ingested into Devo from a large number of vendors and aggregated into firewall.all.traffic tables.

Firewalls can be hardware, software, or both. In any deployment model firewalls establish a barrier between secured and controlled internal networks, separating trusted and untrusted networks.

Detects outbound traffic destined for unexpected countries. Users must populate a lookup table containing home/domestic/expected country codes.

Source table → firewall.all.traffic

Detects TFTP to an external network address. TFTP is rared used externally and has been observed as a means to stage data remotely for exfiltration.

Source table → firewall.all.traffic

Detects outbound traffic sent to an embargoed country. A lookup table should be populated with a list of embargoed country codes.

Source table → firewall.all.traffic

Detects inbound SMB scanning from a single external source IP.

Source table → firewall.all.traffic

Detects excessive Palo Alto firewall authentication failures for a single user account within a short period of time.

Source table → firewall.paloalto.system