DS0018 Firewall
A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules1
| Item | Value |
|---|---|
| ID | DS0018 |
| Platforms | Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS |
| Collection Layers | Cloud Control Plane, Host |
| Version | 1.0 |
| Created | 20 October 2021 |
| Last Modified | 30 March 2022 |
Data Components
Firewall Disable
Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1562 | Impair Defenses |
| enterprise | T1562.004 | Disable or Modify System Firewall |
| enterprise | T1562.007 | Disable or Modify Cloud Firewall |
Firewall Enumeration
An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1518 | Software Discovery |
| enterprise | T1518.001 | Security Software Discovery |
Firewall Metadata
Contextual data about a firewall and activity around it such as name, policy, or status
| Domain | ID | Name |
|---|---|---|
| enterprise | T1518 | Software Discovery |
| enterprise | T1518.001 | Security Software Discovery |
Firewall Rule Modification
Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1562 | Impair Defenses |
| enterprise | T1562.004 | Disable or Modify System Firewall |
| enterprise | T1562.007 | Disable or Modify Cloud Firewall |
| enterprise | T1070 | Indicator Removal |
| enterprise | T1070.007 | Clear Network Connection History and Configurations |