UTMSTACK logoUTMSTACK logo
SonicWall

Detection rules for SonicWall data sources. Each rule includes its MITRE ATT&CK mapping, impact rating, and a description of what it detects.

This category contains 10 detection rules.

RuleCategoryTechniqueImpact (C/I/A)
SonicWall Anti-Spyware DetectionDiscoveryT1082 - System Information DiscoveryC:3 / I:2 / A:1
SonicWall Botnet Activity DetectedCommand and ControlT1071 - Application Layer ProtocolC:3 / I:3 / A:2
SonicWall Capture ATP Malicious VerdictExecutionT1204 - User ExecutionC:3 / I:3 / A:2
SonicWall Capture Client Threat DetectionDefense Evasion, Privilege EscalationT1055 - Process InjectionC:3 / I:3 / A:2
SonicWall Encrypted Threats DetectionCommand and ControlT1573 - Encrypted ChannelC:3 / I:3 / A:2
SonicWall Gateway Anti-Virus DetectionCommand and ControlT1105 - Ingress Tool TransferC:3 / I:3 / A:2
SonicWall Intrusion Prevention System AlertInitial AccessT1190 - Exploit Public-Facing ApplicationC:3 / I:3 / A:3
SonicWall Management Interface Authentication FailuresCredential AccessT1110 - Brute ForceC:3 / I:2 / A:1
SonicWall SSL VPN Authentication FailuresCredential AccessT1133 - External Remote ServicesC:3 / I:2 / A:1
SonicWall Zero-Day Threat DetectionInitial AccessT1190 - Exploit Public-Facing ApplicationC:3 / I:3 / A:3

Rule Example

Below is an example of a rule definition for SonicWall Anti-Spyware Detection (view in repository):

# Rule version v1.0.0

dataTypes:
  - firewall-sonicwall
name: SonicWall Anti-Spyware Detection
impact:
  confidentiality: 3
  integrity: 2
  availability: 1
category: Discovery
technique: "T1082 - System Information Discovery"
adversary: origin
references:
  - https://www.sonicwall.com/techdocs/pdf/sonicos-6-5-4-log-events-reference-guide.pdf
  - https://attack.mitre.org/techniques/T1082/
description: |
  Detects when SonicWall Anti-Spyware service identifies and blocks spyware, adware, or other potentially unwanted programs (PUPs) that may be attempting to collect sensitive information or establish persistence on the network.

  Next Steps:
  - Review the detected spyware category and priority level
  - Investigate the source IP address for other malicious activities
  - Check if the blocked spyware represents a targeted attack or widespread infection
  - Verify that Anti-Spyware policies are properly configured and up-to-date
  - Consider quarantining the affected host if multiple spyware detections occur
  - Review network traffic patterns from the source to identify potential data exfiltration
where: |
  (exists("log.spycat") || 
   contains("log.message", "spyware") ||
   contains("log.message", "Anti-Spyware") ||
   contains("log.eventName", "Anti-Spyware") ||
   contains("log.category", "Anti-Spyware") ||
   (exists("log.spypri") && !equals("log.spypri", "0"))) &&
  (equals("action", "blocked") || equals("log.fw_action", "drop"))
afterEvents:
  - indexPattern: v11-log-firewall-sonicwall-*
    with:
      - field: origin.ip
        operator: filter_term
        value: '{{.origin.ip}}'
    within: now-1h
    count: 3
deduplicateBy:
  - adversary.ip
  - target.host

Rule Details

SonicWall Anti-Spyware Detection

Detects when SonicWall Anti-Spyware service identifies and blocks spyware, adware, or other potentially unwanted programs (PUPs) that may be attempting to collect sensitive information or establish persistence on the network.

SonicWall Botnet Activity Detected

Detects potential botnet command and control (C2) communication or infected host behavior identified by SonicWall's botnet filter. This includes suspicious outbound connections, HTML infection chains, or known botnet signatures.

SonicWall Capture ATP Malicious Verdict

Detects when SonicWall Capture ATP (Advanced Threat Protection) identifies a file as malicious after sandbox analysis. This indicates an attempted malware delivery or execution that was blocked by the ATP service.

SonicWall Capture Client Threat Detection

Detects threats identified by SonicWall Capture Client including advanced malware, zero-day exploits, and sophisticated attack techniques. Capture Client provides advanced threat protection through sandboxing and behavioral analysis.

SonicWall Encrypted Threats Detection

Detects threats hidden in encrypted traffic identified by SonicWall DPI-SSL (Deep Packet Inspection of SSL/TLS) including malware, exploits, and data exfiltration attempts over encrypted channels. This rule identifies when SonicWall's advanced threat protection has detected malicious activity within encrypted communications.

SonicWall Gateway Anti-Virus Detection

Detects when SonicWall Gateway Anti-Virus (GAV) identifies and blocks malicious content. This indicates potential malware attempting to enter the network through web traffic, email attachments, or file downloads. The Gateway Anti-Virus service scans HTTP, HTTPS, FTP, and SMTP traffic in real-time to detect and prevent malware from entering the network perimeter.

SonicWall Intrusion Prevention System Alert

Detects when SonicWall IPS identifies and blocks intrusion attempts, including buffer overflows, SQL injection, cross-site scripting, and other network-based attacks targeting vulnerabilities. This rule triggers when the SonicWall firewall's Intrusion Prevention System detects malicious traffic patterns or known attack signatures.

SonicWall Management Interface Authentication Failures

Detects multiple failed authentication attempts to the SonicWall management interface, indicating potential brute force attacks against administrative credentials.

SonicWall SSL VPN Authentication Failures

Detects multiple SSL VPN authentication failures from the same source IP on SonicWall firewalls, indicating brute force or credential stuffing attacks against remote access services.

SonicWall Zero-Day Threat Detection

Detects zero-day threats and unknown malware identified by SonicWall Capture ATP service including sandbox detonations and RTDMI (Real-Time Deep Memory Inspection) alerts. This rule triggers when the SonicWall firewall identifies previously unknown threats through advanced analysis techniques.