We are pleased to announce the upcoming release of new detections that expand visibility into firewall administration activity, remote access, and potentially malicious network behavior observed through Sophos Firewall and FortiGate telemetry.

Many detections are available out of the box using standard firewall logs, while some rely on advanced vendor features to provide enhanced threat context.

Sophos Firewall

This release adds new detections that help teams better understand who is accessing the firewall, what is being changed, and how the firewall is being used for outbound activity.

Examples include visibility into firewall rule changes, access to the management interface from internal or external sources, outbound remote access activity such as FTP or SSH, and network behavior associated with command‑and‑control, reconnaissance, or exploitation attempts.

FortiGate

This release introduces new detections focused on administrative account activity on FortiGate devices.

These detections help teams identify when local or administrative accounts are created or removed, activity that may be expected during normal administration but should be reviewed for misuse, misconfiguration, or unexpected changes.

Be sure to check out the full Release Notes for the complete list of detections, including detailed descriptions, MITRE alignment, license requirements, and telemetry considerations.