Firewall

A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules[1]

ID: DS0018
Platforms: IaaS, Identity Provider, Linux, Office Suite, SaaS, Windows, macOS
Collection Layers: Cloud Control Plane, Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 14 October 2024

Data Components

Firewall: Firewall Disable

Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)

Firewall: Firewall Disable

Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)

Domain ID Name Detects
Enterprise T1562 Impair Defenses

Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).

.004 Disable or Modify System Firewall

Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).

.007 Disable or Modify Cloud Firewall

Monitor for changes in the status of the cloud firewall.

Firewall: Firewall Enumeration

An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)

Firewall: Firewall Enumeration

An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)

Domain ID Name Detects
Enterprise T1518 Software Discovery

Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)

.001 Security Software Discovery

Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)

Firewall: Firewall Metadata

Contextual data about a firewall and activity around it such as name, policy, or status

Firewall: Firewall Metadata

Contextual data about a firewall and activity around it such as name, policy, or status

Domain ID Name Detects
Enterprise T1518 Software Discovery

Monitor for contextual data about a firewall and activity around it such as name, policy, or status

.001 Security Software Discovery

Monitor for contextual data about a firewall and activity around it such as name, policy, or status

Firewall: Firewall Rule Modification

Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)

Firewall: Firewall Rule Modification

Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)

Domain ID Name Detects
Enterprise T1562 Impair Defenses

Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

.004 Disable or Modify System Firewall

Monitor for changes made to firewall rules that might allow remote communication over protocols such as SMD and RDP. Modification of firewall rules might also consider opening local ports and services for different network profiles such as public and domain.

.007 Disable or Modify Cloud Firewall

Monitor cloud logs for modification or creation of new security groups or firewall rules. For example, in AWS environments, monitor for the AuthorizeSecurityGroupsIngress API call in CloudTrail and use AWS Config to monitor changes the configuration of a Virtual Private Cloud (VPC) Security Group.[2]

Analytic 1 - Operations performed by unexpected initiators, unusual rule names, frequent modifications

index="azure_activity_logs" OperationName="Create or Update Security Rule"| stats count by InitiatorName, Resource| where Resource LIKE "Microsoft.Network/networkSecurityGroups/securityRules" AND (Status!="Succeeded" OR InitiatorName!="expected_initiator")| sort by Time

Enterprise T1070 Indicator Removal

Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic.

.007 Clear Network Connection History and Configurations

Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic.

References