The Devo SciSec Team (Devo’s Threat Research Team) has released this Technology Alert Pack in all Devo domains! This alert pack brings our SecOps related content to our non-SecOps customers and can help jumpstart your threat coverage. 

Full release notes and details of every alert in this Alert Pack.

Technology Alert Pack - Firewall

Inside this alert pack you will find a plethora of detections that will alert when an attacker is attacking or trying to bypass a firewall.  These alerts are incredibly important to let our customers know when they could be a breach!

Firewalls are one of the last bastions of defense for your company, and any firewall that gets compromised can lead to an open highway for attackers to use to gain entry into your environments. In order to ensure a more comprehensive security outlook, Devo’s detections provide the extra assurance that any crack in the wall will be made aware to your SOC and your company.

Download now directly from Devo Exchange by clicking here.

Here is a sample of 5 of the alerts in this pack.

SecOpsFWIpScaninternal - Detects when a single internal IP is scanning other internal IPs using different ports for each scan attempt. This is a low and slow technique intended to avoid triggering traditional port scan and port sweep alerts.
SecOpsFWSigned - Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by monitoring for suspicious outbound DNS traffic over TCP. The destination name server should be examined for legitimacy.
SecOpsFWRdpTrafficUnauthorized - Detects RDP traffic to hosts, not within an allowed list.
SECOpsVNCPortOpen - Possible VNC Connections.
SecOpsFWRDPExternalAccess - Identifies RDP traffic from external sources allowed through the firewall. This type of traffic may indicate an adversary is in possession of valid accounts and is accessing a host from outside the network.