A user added a Windows firewall rule

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Identity Threat Module

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify System Firewall (T1562.004)

Severity

Informational

Description

A user added a new Windows Firewall rule. Adding a firewall rule may indicate an attempt to bypass controls limiting network usage or to disrupt network communications.

Attacker's Goals

Firewall rules determine what traffic your firewall will block or allow. A malicious insider might want to change these rules in an attempt to bypass network limitations or disrupt network communication.

Investigative actions

  • Check for any other suspicious activity related to the host and the user involved in the alert.
  • Check Windows Defender Firewall with Advanced Security for a new rule that was added.
  • Check if the new rule was added to different machines as well.