A user added a Windows firewall rule

Cortex XDR Analytics Alert Reference by Alert name

Cortex XDR
Last date published
Analytics Alert Reference
Alert name


Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent
  • Requires:
    • eXtended Threat Hunting (XTH)

Detection Modules

Identity Threat Module

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify System Firewall (T1562.004)




A user added a new Windows Firewall rule. Adding a firewall rule may indicate an attempt to bypass controls limiting network usage or to disrupt network communications.

Attacker's Goals

Firewall rules determine what traffic your firewall will block or allow. A malicious insider might want to change these rules in an attempt to bypass network limitations or disrupt network communication.

Investigative actions

  • Check for any other suspicious activity related to the host and the user involved in the alert.
  • Check Windows Defender Firewall with Advanced Security for a new rule that was added.
  • Check if the new rule was added to different machines as well.