Skip to content

DS0018 Firewall

A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules1

Item Value
ID DS0018
Platforms Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Collection Layers Cloud Control Plane, Host
Version 1.0
Created 20 October 2021
Last Modified 30 March 2022

Data Components

Firewall Disable

Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)

Domain ID Name
enterprise T1562 Impair Defenses
enterprise T1562.004 Disable or Modify System Firewall
enterprise T1562.007 Disable or Modify Cloud Firewall

Firewall Enumeration

An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)

Domain ID Name
enterprise T1518 Software Discovery
enterprise T1518.001 Security Software Discovery

Firewall Metadata

Contextual data about a firewall and activity around it such as name, policy, or status

Domain ID Name
enterprise T1518 Software Discovery
enterprise T1518.001 Security Software Discovery

Firewall Rule Modification

Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)

Domain ID Name
enterprise T1562 Impair Defenses
enterprise T1562.004 Disable or Modify System Firewall
enterprise T1562.007 Disable or Modify Cloud Firewall

References

Back to top