TEAM: Huntress SIEM
PRODUCT: Huntress Managed SIEM
ENVIRONMENT: Syslog
SUMMARY: Starter Queries for Sonicwall Firewall
Query List
Admin Authentication
Description
This search will return authentication attempts made by admin accounts to any of the management interfaces. Data points of interest are authentication attempts made from outside of internal networks. These indicate a risky configuration which opens the device to potential attacks.
Search Query
from logs
| where event.provider=="Syslog-SonicWall"
| where event.code=="29" OR event.code=="30" OR event.code=="199" OR event.code=="200" OR event.code=="235" OR event.code=="236"
| keep host.ip, sonicwall.sn, event.code, source.ip, sonicwall.usr, sonicwall.sess
Event Code Breakdown
Event Code |
Description |
---|---|
29 |
Admin logon success |
30 |
Admin logon failure due to bad password |
199 |
Admin CLI logon success |
200 |
Admin CLI logon failure |
235 |
VPN Zone admin logon success |
236 |
WAN Zone admin logon success |
Kept Field Breakdown
Field |
Description |
---|---|
host.ip |
The IP of the device logging the event. |
sonicwall.sn |
The Serial Number of the device logging the event. |
source.ip |
The IP the authentication attempt originated from. |
sonicwall.usr |
The name of the account attempting authentication. |
sonicwall.sess |
The type of authentication session. |
User Login Failures
Description
This search will return authentication failures where the account is unknown or the user is already logged into the system.
Search Query
from logs
| where event.provider=="Syslog-SonicWall"
| where event.code=="33" OR event.code=="759"
| keep host.ip, sonicwall.sn, event.code, source.ip, sonicwall.usr, sonicwall.sess
Event Code Breakdown
Event Code |
Description |
---|---|
33 |
Logon failure due to unknown user |
759 |
Logon failure due to user already logged in |
Kept Field Breakdown
Field |
Description |
---|---|
host.ip |
The IP of the device logging the event. |
sonicwall.sn |
The Serial Number of the device logging the event. |
source.ip |
The IP the authentication attempt originated from. |
sonicwall.usr |
The name of the account attempting authentication. |
sonicwall.sess |
The type of authentication session. |
Firewall Rule Management
Description
This search returns firewall rule management events including creation, modification, and deletion of rules. The results of this search can be compared against change records to validate authorized changes and detect unauthorized changes.
Search Query
from logs
| where event.provider=="Syslog-SonicWall"
| where event.code=="440" OR event.code=="441" OR event.code=="442"
| keep host.ip, sonicwall.sn, event.code, sonicwall.rule, sonicwall.srcZone, sonicwall.dstZone, sonicwall.note, sonicwall.usr, sonicwall.sess
Event Code Breakdown
Event Code |
Description |
---|---|
440 |
Access Rule Created |
441 |
Access Rule Modified |
442 |
Access Rule Delete |
Kept Field Breakdown
Field |
Description |
---|---|
host.ip |
The IP of the device logging the event. |
sonicwall.sn |
The Serial Number of the device logging the event. |
sonicwall.srcZone |
The source zone of the firewall rule. |
sonicwall.dstZone |
The destination zone of the firewall rule. |
sonicwall.note |
Contains details about the firewall rule. |
sonicwall.usr |
The account the created, modified, or deleted the firewall rule. |
sonicwall.sess |
The type of session the change occurred in. |