Firewall

A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules[1]

ID: DS0018
Platforms: Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers: Cloud Control Plane, Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 10 November 2021

Data Components

Firewall: Firewall Disable

Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)

Firewall: Firewall Disable

Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)

Domain ID Name
Enterprise T1562 Impair Defenses
.004 Disable or Modify System Firewall
.007 Disable or Modify Cloud Firewall

Firewall: Firewall Enumeration

An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)

Firewall: Firewall Enumeration

An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)

Domain ID Name
Enterprise T1518 Software Discovery
.001 Security Software Discovery

Firewall: Firewall Metadata

Contextual data about a firewall and activity around it such as name, policy, or status

Firewall: Firewall Metadata

Contextual data about a firewall and activity around it such as name, policy, or status

Domain ID Name
Enterprise T1518 Software Discovery
.001 Security Software Discovery

Firewall: Firewall Rule Modification

Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)

Firewall: Firewall Rule Modification

Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)

Domain ID Name
Enterprise T1562 Impair Defenses
.004 Disable or Modify System Firewall
.007 Disable or Modify Cloud Firewall

References