Firewall Rule Modification

The creation, deletion, or alteration of firewall rules to allow or block specific network traffic. Monitoring changes to these rules is critical for detecting misconfigurations, unauthorized access, or malicious attempts to bypass network protections. Examples:

Rule Creation: Adding a new rule to allow inbound traffic on port 3389 (RDP).
Rule Deletion: Deleting a rule that blocks inbound traffic from untrusted IP ranges.
Rule Modification: Changing a rule to allow traffic from "any" source IP instead of a specific trusted range.
Audit Log Metadata: Logs indicating "Firewall rule modified by admin@domain.com."
Platform-Specific Scenarios
- Azure: Altering rules in an Azure Network Security Group (NSG).
- AWS: Modifying Security Group rules to allow traffic.
- Windows: Changes tracked in Security Event Logs (EID 4950 or 4951).

This data component can be collected through the following measures:

Cloud Control Plane

Azure: Collect rule modification logs from Azure Firewall Activity Logs.
- Example Command: az network firewall policy rule-collection-group rule-collection list --policy-name <policy-name>
AWS: Use CloudTrail to track AuthorizeSecurityGroupIngress or RevokeSecurityGroupIngress actions.
Example: aws ec2 describe-security-groups
Google Cloud: Use gcloud commands to extract firewall rules: gcloud compute firewall-rules list --format=json

Host-Based Firewalls

Windows:
- Collect events from the Windows Security Event Log (EID 4950: A rule has been modified).
- Use PowerShell to track rule changes: Get-NetFirewallRule -PolicyStore PersistentStore
Linux:
- Monitor iptables or nftables rule modifications: iptables -L -v
- Use auditd for real-time monitoring: auditctl -w /etc/iptables.rules -p wa
macOS: Use pfctl to monitor rule changes: sudo pfctl -sr

SIEM Integration

Collect logs from cloud platforms, host systems, and network appliances for centralized monitoring.

API Monitoring

Monitor API calls for firewall rule modifications.

ID: DC0051

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
AWS:CloudTrail	AuthorizeSecurityGroupIngress
AWS:CloudTrail	Create egress rule allowing UDP to port 53, 123, 11211
AWS:CloudTrail	Ingress rule creation or modification for security group
AWS:CloudTrail	New security group created with permissive rules
esxi:hostd	vSphere API calls modifying firewall settings
Firewall Audit Logs	Config Change
Firewall Audit Logs	Outbound NAT Rule Changes
linux:syslog	iptables or nftables rule changes
networkdevice:cli	firewall disable commands or suspicious ACL modifications
networkdevice:Firewall	update_rule: Access control or NAT rule modified or disabled outside maintenance window
NSM:Firewall	Policy Change / Rule Update
NSM:Firewall	rule_modification: New or modified firewall rules related to wireless interfaces
WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall	new rule allowing inbound or outbound connections for remote desktop software
WinEventLog:Security	Firewall Rule Modification

Detection Strategy

ID	Name	Technique Detected
DET0049	Behavioral Detection of Network History and Configuration Tampering	T1070.007
DET0145	Detection of Disabled or Modified System Firewalls across OS Platforms.	T1562.004
DET0445	Detection of Proxy Infrastructure Setup and Traffic Bridging	T1090
DET0424	Detection Strategy for Disable or Modify Cloud Firewall	T1562.007
DET0173	Detection Strategy for Endpoint DoS via Service Exhaustion Flood	T1499.002
DET0317	Detection Strategy for Impair Defenses Across Platforms	T1562
DET0408	Detection Strategy for Reflection Amplification DoS (T1498.002)	T1498.002
DET0536	Detection Strategy for Wi-Fi Networks	T1669
DET0325	External Proxy Behavior via Outbound Relay to Intermediate Infrastructure	T1090.002
DET0075	Internal Proxy Behavior via Lateral Host-to-Host C2 Relay	T1090.001
DET0259	Remote Desktop Software Execution and Beaconing Detection	T1219.002
DET0306	Unauthorized Network Firewall Rule Modification (T1562.013)	T1562.013