TEAM: Huntress SIEM
PRODUCT: Huntress Managed SIEM
ENVIRONMENT: Syslog
SUMMARY: Starter Queries for Sophos Firewall
Query List
Local Firewall Authentication
Description
This search returns authentication attempts to the firewall with local accounts. Following best practices, these shouldn’t be possible from the Internet. These types of authentications can be found through using the Additional Filter Options section.
Search Query
from logs
| where event.provider=="Syslog-Sophos"
| where event.code=="17701" OR event.code=="17702" OR event.code=="17704" OR event.code=="17705"
| keep event.code, sophos.status, sophos.user_name, sophos.auth_mechanism, sophos.reason, sophos.src_ip, sophos.src_country
Additional Filter Options
Exclude Internal (RFC1918) IPs
from logs
| where event.provider=="Syslog-Sophos"
| where event.code=="17701" OR event.code=="17702" OR event.code=="17704" OR event.code=="17705"
| where sophos.src_country!=”R1”
| keep event.code, sophos.status, sophos.user_name, sophos.auth_mechanism, sophos.reason, sophos.src_ip, sophos.src_country
Event Code Breakdown
Event Code |
Description |
---|---|
17701 |
Successful Authentication to Firewall |
17702 |
Failed Authentication to Firewall |
17704 |
Successful Authentication to MyAccount |
17705 |
Failed Authentication to MyAccount |
Kept Field Breakdown
Field |
Description |
---|---|
sophos.status |
Indicates if the authentication attempt resulted in success or failure. |
sophos.user_name |
The name of the account attempting to authenticate. |
sophos.auth_mechanism |
The method used to validate the authentication attempt. |
sophos.reason |
The reason the authentication attempt failed. Only appears in failure events. |
sophos.src_ip |
The IP address the authentication attempt originated from. |
sophos.src_country |
The 3-digit ISO 3166 country code the authentication attempt originated from. |
VPN Authentication
Description
This query returns VPN authentications. It is expected that these will originate from the Internet. The Additional Filter Option can be added to show attempts made outside of the United States.
Search Query
from logs
| where event.provider=="Syslog-Sophos"
| where event.code=="17707" OR event.code=="17708" OR event.code=="17710" OR event.code=="17711" OR event.code=="17718" OR event.code=="17719"
| keep event.code, sophos.status, sophos.user_name, sophos.client_used, sophos.auth_mechanism, sophos.reason, sophos.src_ip, sophos.src_country
Additional Filter Option
Exclude United States Origins
from logs
| where event.provider=="Syslog-Sophos"
| where event.code=="17707" OR event.code=="17708" OR event.code=="17710" OR event.code=="17711" OR event.code=="17718" OR event.code=="17719"
| where sophos.src_country!=”USA”
| where sophos.src_country!=”R1”
| keep event.code, sophos.status, sophos.user_name, sophos.client_used, sophos.auth_mechanism, sophos.reason, sophos.src_ip, sophos.src_country
Event Code Breakdown
Event Code |
Description |
---|---|
17707 |
Successful VPN Authentication |
17708 |
Failed VPN Authentication |
17710 |
Successful SSLVPN Authentication |
17710 |
Failed SSLVPN Authentication |
17718 |
Successful VPN Portal Authentication |
17719 |
Failed VPN Portal Authentication |
Kept Field Breakdown
Field |
Description |
---|---|
sophos.status |
Indicates if the authentication attempt resulted in success or failure. |
sophos.user_name |
The name of the account attempting to authenticate. |
sophos.client_used |
The type of client used in the authentication attempt. |
sophos.auth_mechanism |
The method used to validate the authentication attempt. |
sophos.reason |
The reason the authentication attempt failed. Only appears in failure events. |
sophos.src_ip |
The IP address the authentication attempt originated from. |
sophos.src_country |
The 3-digit ISO 3166 country code the authentication attempt originated from. |
Admin Authentications
Description
This query returns details of authentication attempts made with admin level accounts.
Search Query
from logs
| where event.provider=="Syslog-Sophos"
| where event.code=="17507"
| keep sophos.log_component, sophos.status, sophos.user_name, sophos.src_ip, sophos.message
Event Code Breakdown
Event Code |
Description |
---|---|
17507 |
Administrator account authentication attempt |
Kept Field Breakdown
Field |
Description |
---|---|
sophos.log_component |
Indicates which type of interface the authentication was attempted against. Typically either GUI or CLI. |
sophos.status |
Indicates whether the authentication attempt resulted in success or failure. |
sophos.user_name |
The user name that attempted the authentication. |
sophos.src_ip |
The IP address the authentication attempt originated from. |
sophos.message |
A human readable description for the event. |
Firewall Rule Management
Description
This query returns all firewall rule additions, modification, or deletions. The results can be used to validate approved changes and detect unauthorized changes.
Search Query
from logs
| where event.provider=="Syslog-Sophos"
| where event.code=="17501" OR event.code=="17502" OR event.code=="17503" OR event.code=="17504"
| where sophos.message LIKE "Firewall%" | keep event.code, sophos.user_name, sophos.src_ip, sophos.message
Event Code Breakdown
Event Code |
Description |
---|---|
17501 |
A firewall rule was created |
17502 |
A firewall rule was updated |
17503 |
A firewall rule was deleted |
17504 |
A firewall rule was reordered |
Kept Field Breakdown
Field |
Description |
---|---|
sophos.user_name |
The account name performing the firewall rule change. |
sophos.src_ip |
The IP of the logged on host making the configuration change. |
sophos.message |
A human readable description of the configuration change. This includes the name of the firewall rule affected by the change. |
Account Management
Description
This query returns all user account creation, modification, or deletion events. The results can be used to validate approved configuration changes and detect unauthorized changes.
Search Query
from logs
| where event.provider=="Syslog-Sophos"
| where event.code=="17501" OR event.code=="17502" OR event.code=="17503" OR event.code=="17504"
| where sophos.message LIKE "User%"
| keep event.code, sophos.user_name, sophos.src_ip, sophos.message
Event Code Breakdown
Event Code |
Description |
---|---|
17501 |
A user account was created |
17502 |
A user account was updated |
17503 |
A user account was deleted |
Kept Field Breakdown
Field |
Description |
---|---|
sophos.user_name |
The account name that created the account. |
sophos.src_ip |
The IP of the logged on host making the configuration change. |
sophos.message |
A human readable description of the configuration change. This includes the name of the account created, modified, or deleted. |