Detection rules for XG Firewall data sources. Each rule includes its MITRE ATT&CK mapping, impact rating, and a description of what it detects.
This category contains 9 detection rules.
| Rule | Category | Technique | Impact (C/I/A) |
|---|---|---|---|
| Probable Sophos denial of service (DoS) attack | Impact | T1499 - Endpoint Denial of Service | C:3 / I:3 / A:3 |
| Probable Sophos initial access vulnerability | Initial Access | T1078.001 - Valid Accounts | C:2 / I:2 / A:1 |
| Probable Sophos ip spoofing attack | Impact | T1499 - Endpoint Denial of Service | C:3 / I:3 / A:3 |
| Probable malware detected by sophos firewall | Execution | T1204 - User Execution | C:3 / I:3 / A:3 |
| Probable password guessing in Sophos Administrator account | Credential Access | T1110.001 - Brute Force | C:3 / I:3 / A:2 |
| Sophos XG Advanced Threat Protection Alert | Malware | T1204 - User Execution | C:3 / I:3 / A:2 |
| Sophos XG IPS Alert Detection | Intrusion Detection | T1190 - Exploit Public-Facing Application | C:3 / I:3 / A:2 |
| Sophos XG VPN Authentication Failures | Credential Access | T1110 - Brute Force | C:3 / I:2 / A:1 |
| Sophos detected high priority alerts | Initial Access | T1190 - Exploit Public-Facing Application | C:3 / I:3 / A:3 |
Rule Example
Below is an example of a rule definition for Probable Sophos denial of service (DoS) attack (view in repository):
# Rule version v1.0.0
dataTypes:
- "firewall-sophos-xg"
name: "Probable Sophos denial of service (DoS) attack"
impact:
confidentiality: 3
integrity: 3
availability: 3
category: "Impact"
technique: "T1499 - Endpoint Denial of Service"
adversary: origin
references:
- "https://support.sophos.com/support/s/article/KB-000035754?language=en_US"
- "https://docs.sophos.com/nsg/sophos-firewall/18.5/PDF/SF%20syslog%20guide%2018.5.pdf"
- "https://attack.mitre.org/tactics/TA0040"
- "https://attack.mitre.org/techniques/T1499/"
description: "A Denial of Service (DoS) attack is an attempt to make a machine or network resource unavailable to the intended users.
One common method of attack involves saturating the target machine with external communications requests so that it cannot
respond to legitimate traffic or the machine responds so slowly that it is essentially useless."
where: |
equalsIgnoreCase("log.component", "dos attacks") && equalsIgnoreCase("log.subType", "dos")
groupBy:
- adversary.ip
- target.ip
Rule Details
Probable Sophos denial of service (DoS) attack
A Denial of Service (DoS) attack is an attempt to make a machine or network resource unavailable to the intended users. One common method of attack involves saturating the target machine with external communications requests so that it cannot respond to legitimate traffic or the machine responds so slowly that it is essentially useless.
Category: Impact
Technique: T1499 - Endpoint Denial of Service
Impact: C:3 / I:3 / A:3
Rule file: sophos_denial_of_service.yml
Reference: https://support.sophos.com/support/s/article/KB-000035754?language=en_US
Reference: https://docs.sophos.com/nsg/sophos-firewall/18.5/PDF/SF%20syslog%20guide%2018.5.pdf
Reference: https://attack.mitre.org/tactics/TA0040
Reference: https://attack.mitre.org/techniques/T1499/
Probable Sophos initial access vulnerability
Sophos firewall has detected the Guest account activation
Category: Initial Access
Technique: T1078.001 - Valid Accounts
Impact: C:2 / I:2 / A:1
Rule file: sophos_initial_access_by_guest_account.yml
Reference: https://attack.mitre.org/tactics/TA0001/
Probable Sophos ip spoofing attack
IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source address in order to either hide the identity of the sender, to impersonate another computer system, or both. It is a technique often used by bad actors to invoke DDoS attacks against a target device or the surrounding infrastructure.
Category: Impact
Technique: T1499 - Endpoint Denial of Service
Impact: C:3 / I:3 / A:3
Rule file: sophos_ip_spoofing_attack.yml
Reference: https://support.sophos.com/support/s/article/KB-000035616?language=en_US
Reference: https://attack.mitre.org/tactics/TA0040
Reference: https://attack.mitre.org/techniques/T1499/
Reference: https://www.cloudflare.com/learning/ddos/glossary/ip-spoofing/
Probable malware detected by sophos firewall
The Sophos firewall has detected a suspicious event and made some actions according to his configuration
Category: Execution
Technique: T1204 - User Execution
Impact: C:3 / I:3 / A:3
Reference: https://www.mcafee.com/en-us/antivirus/malware.html
Reference: https://www.fortinet.com/resources/cyberglossary/computer-virus
Probable password guessing in Sophos Administrator account
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
Category: Credential Access
Technique: T1110.001 - Brute Force
Impact: C:3 / I:3 / A:2
Rule file: sophos_password_guessing_on_administrator_account.yml
Reference: https://support.sophos.com/support/s/article/KB-000034986?language=en_US
Reference: https://attack.mitre.org/tactics/TA0006
Sophos XG Advanced Threat Protection Alert
Detects when Sophos XG Firewall's Advanced Threat Protection (ATP) identifies malicious activity, including sandboxing results, malware detection, and zero-day threats. This rule triggers on ATP events indicating threat detection, malware identification, or virus findings.
Category: Malware
Technique: T1204 - User Execution
Impact: C:3 / I:3 / A:2
Rule file: advanced_threat_protection_alerts.yml
Reference: https://attack.mitre.org/techniques/T1204/
Sophos XG IPS Alert Detection
Detects IPS alert triggers on Sophos XG Firewall indicating active exploitation attempts, vulnerability scanning, or known attack signatures targeting protected hosts.
Category: Intrusion Detection
Technique: T1190 - Exploit Public-Facing Application
Impact: C:3 / I:3 / A:2
Rule file: sophos_xg_ips_signatures.yml
Reference: https://attack.mitre.org/techniques/T1190/
Sophos XG VPN Authentication Failures
Detects multiple VPN authentication failures on Sophos XG Firewall, indicating potential brute force attacks against SSL VPN or IPsec VPN services.
Category: Credential Access
Technique: T1110 - Brute Force
Impact: C:3 / I:2 / A:1
Rule file: sophos_xg_vpn_auth_failures.yml
Reference: https://attack.mitre.org/techniques/T1110/
Sophos detected high priority alerts
The Sophos firewall device has detected a high priority event. For the alert purpose, high priority is when log priority is: Emergency, Critical or Alert, and not part of the list of risked applications. Please see the logs attached to this alert for additional details.
Category: Initial Access
Technique: T1190 - Exploit Public-Facing Application
Impact: C:3 / I:3 / A:3
Rule file: sophos_high_severity_alerts.yml