A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules[1]
Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)
Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1562 | Impair Defenses |
Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped). |
|
| .004 | Disable or Modify System Firewall |
Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped). |
||
| .007 | Disable or Modify Cloud Firewall |
Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped). |
||
An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)
An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1518 | Software Discovery |
Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) |
|
| .001 | Security Software Discovery |
Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) |
||
Contextual data about a firewall and activity around it such as name, policy, or status
Contextual data about a firewall and activity around it such as name, policy, or status
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1518 | Software Discovery |
Monitor for contextual data about a firewall and activity around it such as name, policy, or status |
|
| .001 | Security Software Discovery |
Monitor for contextual data about a firewall and activity around it such as name, policy, or status |
||
Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)
Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1562 | Impair Defenses |
Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
|
| .004 | Disable or Modify System Firewall |
Monitor for changes made to firewall rules that might allow remote communication over protocols such as SMD and RDP. Modification of firewall rules might also consider opening local ports and services for different network profiles such as public and domain. |
||
| .007 | Disable or Modify Cloud Firewall |
Monitor cloud logs for modification or creation of new security groups or firewall rules. |
||
| Enterprise | T1070 | Indicator Removal |
Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic. |
|
| .007 | Clear Network Connection History and Configurations |
Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic. |
||