Document toolboxDocument toolbox

Release 32 - Out-of-the-box alerts

Owned by Jonas Gonzalez
Dec 04, 2024
1 min read
[ 1 Overview ] [ 2 Alerts updated ]

Overview

This update improves the functionality and accuracy of several firewall and threat detection alerts. Notable enhancements include the addition of source IP and hostname fields to out-of-the-box (OOTB) alerts, providing richer contextual information for faster incident triage and response. Additionally, a performance-related regular expression error has been resolved by optimizing the regex pattern, ensuring more efficient and reliable rule execution.

These changes strengthen the detection capabilities for network scans, unauthorized SMB traffic, RDP external access, and specific threats such as REvil and HAFNIUM. The updates significantly enhance the system’s reliability and effectiveness in identifying and mitigating security risks.

Alerts updated

Alert name

FWIpScanInternal

FWIrcTrafficExternalDestination

FWPortScanInternalSource

FWPortSweepInternalSource

FWExternalSMBTrafficDetectedFirewall

FWPortScanExternalSource

FWRDPExternalAccess

FWSMBTrafficOutbound

FwTftpOutboundTraffic

REvilKaseyaWebShellsUploadConn

HAFNIUMHttpPostTargetingExchangeServers

HAFNIUMWebShellsTargetingExchangeServers

REvilKaseyaWebShells