Name:Windows Firewall Rule Modification id:fe7efbf7-5f82-44b9-8c33-316189ab2393 version:1 date:2025-03-19 author:Teoderick Contreras, Splunk status:production type:Anomaly Description:This detection identifies instances where a Windows Firewall rule has been modified, which may indicate an attempt to alter security policies. Unauthorized modifications can weaken firewall protections, allowing malicious traffic or preventing legitimate communications. The event logs details such as the modified rule name, protocol, ports, application path, and the user responsible for the change. Security teams should monitor unexpected modifications, correlate them with related events, and investigate anomalies to prevent unauthorized access and maintain network security integrity. Data_source:
-Windows Event Log Security 4947
search:`wineventlog_security` EventCode=4947 | stats count min(_time) as firstTime max(_time) as lastTime by RuleName signature subject status dest ProcessID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_firewall_rule_modification_filter`
how_to_implement:This detection is based on data collected from Endpoint Detection and Response (EDR) agents, which provide security-related telemetry from monitored endpoints. Specifically, it focuses on Windows Security Event Log entries with EventID 4947, which indicates that a Windows Firewall rule has been modified. To implement this detection in Splunk, you must ingest Windows Security Event Logs that capture EventID 4947, ensuring that critical fields such as _time, EventRecordID, ProcessID, ThreadID, Computer, ProfileChanged, RuleName, and RuleId are available for analysis. These logs must be processed using the appropriate Splunk Technology Add-ons (TAs) to ensure compatibility with the EDR product and proper field extraction. Additionally, mapping these logs to the appropriate data model, such as the Endpoint data model, enhances structured analysis. Leveraging the Splunk Common Information Model (CIM) helps normalize field names, ensuring consistency across different data sources. By implementing this approach, you can effectively detect and monitor Windows Firewall rule modifications, providing visibility into potential security risks or unauthorized changes. known_false_positives:Legitimate admin changes, Group Policy updates, software installs, security tools, and automated scripts can trigger false positives for Event ID 4947. References: -https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4947 drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'ShrinkLocker' - 'Medusa Ransomware' asset_type:Endpoint mitre_attack_id: - 'T1562.004' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
