Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect Windows Allow Firewall Rule AdditionModification

Back
Id056593d4-ca3b-47a7-be9d-d1d0884a1d36
RulenameDetect Windows Allow Firewall Rule Addition/Modification
DescriptionThis analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsCiscoSecureEndpoint
CrowdStrikeFalconEndpointProtection
MicrosoftThreatProtection
SentinelOne
TrendMicroApexOne
TrendMicroApexOneAma
VMwareCarbonBlack
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/WindowsAllowFirewallRuleAdded.yaml
Version1.0.0
Arm template056593d4-ca3b-47a7-be9d-d1d0884a1d36.json
Deploy To Azure
// List of Windows Firewall registry keys to monitor
let firewallRegistryList = dynamic([
      'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\RestrictedServices\\Static\\System',
      'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\RestrictedServices\\Configurable\\System',
      'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Defaults\\FirewallPolicy\\FirewallRules',
      'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall'
  ]);
_ASim_RegistryEvent
| where EventType in ('RegistryValueSet', 'RegistryKeyCreated') 
| where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')
| project
    TimeGenerated,
    DvcHostname,
    ActorUsername,
    ActorUsernameType,
    ActingProcessId,
    ActingProcessName,
    ActingProcessCommandLine,
    RegistryKey,
    RegistryValue,
    RegistryValueType,
    RegistryValueData
| extend HostName = tostring(split(DvcHostname, '.')[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
| extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\')) 
tactics:
- DefenseEvasion
alertDetailsOverride:
  alertDisplayNameFormat: Allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} on {{HostName}}
  alertDescriptionFormat: An allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} by {{Username}}.
requiredDataConnectors:
- connectorId: CrowdStrikeFalconEndpointProtection
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - SecurityAlert
- connectorId: SentinelOne
  dataTypes:
  - SentinelOne_CL
- connectorId: VMwareCarbonBlack
  dataTypes:
  - CarbonBlackEvents_CL
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint_CL
- connectorId: TrendMicroApexOne
  dataTypes:
  - TMApexOneEvent
- connectorId: TrendMicroApexOneAma
  dataTypes:
  - TMApexOneEvent
severity: Medium
queryFrequency: 1h
id: 056593d4-ca3b-47a7-be9d-d1d0884a1d36
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/WindowsAllowFirewallRuleAdded.yaml
relevantTechniques:
- T1562
queryPeriod: 1h
tags:
- Schema: _ASim_RegistryEvent
  SchemaVersion: 0.1.2
status: Available
kind: Scheduled
triggerThreshold: 0
triggerOperator: gt
version: 1.0.0
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
  - columnName: NTDomain
    identifier: NTDomain
- entityType: Account
  fieldMappings:
  - columnName: Username
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  - columnName: NTDomain
    identifier: NTDomain
- entityType: Process
  fieldMappings:
  - columnName: ActingProcessId
    identifier: ProcessId
  - columnName: ActingProcessCommandLine
    identifier: CommandLine
- entityType: RegistryKey
  fieldMappings:
  - columnName: RegHive
    identifier: Hive
  - columnName: RegKey
    identifier: Key
- entityType: RegistryValue
  fieldMappings:
  - columnName: RegistryValue
    identifier: Name
  - columnName: RegistryValueData
    identifier: Value
  - columnName: RegistryValueType
    identifier: ValueType
eventGroupingSettings:
  aggregationKind: singleAlert
description: |
    This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.
name: Detect Windows Allow Firewall Rule Addition/Modification
query: |
  // List of Windows Firewall registry keys to monitor
  let firewallRegistryList = dynamic([
        'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\RestrictedServices\\Static\\System',
        'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\RestrictedServices\\Configurable\\System',
        'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Defaults\\FirewallPolicy\\FirewallRules',
        'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall'
    ]);
  _ASim_RegistryEvent
  | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') 
  | where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')
  | project
      TimeGenerated,
      DvcHostname,
      ActorUsername,
      ActorUsernameType,
      ActingProcessId,
      ActingProcessName,
      ActingProcessCommandLine,
      RegistryKey,
      RegistryValue,
      RegistryValueType,
      RegistryValueData
  | extend HostName = tostring(split(DvcHostname, '.')[0])
  | extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))
  | extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername)
  | extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername)
  | extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)
  | extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')
  | extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\'))   
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/056593d4-ca3b-47a7-be9d-d1d0884a1d36')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/056593d4-ca3b-47a7-be9d-d1d0884a1d36')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} by {{Username}}.",
          "alertDisplayNameFormat": "Allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} on {{HostName}}"
        },
        "alertRuleTemplateName": "056593d4-ca3b-47a7-be9d-d1d0884a1d36",
        "customDetails": null,
        "description": "This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.\n",
        "displayName": "Detect Windows Allow Firewall Rule Addition/Modification",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Username",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ActingProcessId",
                "identifier": "ProcessId"
              },
              {
                "columnName": "ActingProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          },
          {
            "entityType": "RegistryKey",
            "fieldMappings": [
              {
                "columnName": "RegHive",
                "identifier": "Hive"
              },
              {
                "columnName": "RegKey",
                "identifier": "Key"
              }
            ]
          },
          {
            "entityType": "RegistryValue",
            "fieldMappings": [
              {
                "columnName": "RegistryValue",
                "identifier": "Name"
              },
              {
                "columnName": "RegistryValueData",
                "identifier": "Value"
              },
              {
                "columnName": "RegistryValueType",
                "identifier": "ValueType"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "singleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware Protection Essentials/Analytic Rules/WindowsAllowFirewallRuleAdded.yaml",
        "query": "// List of Windows Firewall registry keys to monitor\nlet firewallRegistryList = dynamic([\n      'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Static\\\\System',\n      'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Configurable\\\\System',\n      'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Defaults\\\\FirewallPolicy\\\\FirewallRules',\n      'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall'\n  ]);\n_ASim_RegistryEvent\n| where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \n| where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')\n| project\n    TimeGenerated,\n    DvcHostname,\n    ActorUsername,\n    ActorUsernameType,\n    ActingProcessId,\n    ActingProcessName,\n    ActingProcessCommandLine,\n    RegistryKey,\n    RegistryValue,\n    RegistryValueType,\n    RegistryValueData\n| extend HostName = tostring(split(DvcHostname, '.')[0])\n| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))\n| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[1]), ActorUsername)\n| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[0]), ActorUsername)\n| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')\n| extend RegHive = tostring(split(RegistryKey, '\\\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\\\'), 1, -1), '\\\\')) \n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "tags": [
          {
            "Schema": "_ASim_RegistryEvent",
            "SchemaVersion": "0.1.2"
          }
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}