← Library
splApache-2.0from splunk/security_content

Linux Auditd Disable Or Modify System Firewall

The following analytic detects the suspicious disable or modify system firewall. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml
`linux_auditd` type=SERVICE_STOP unit IN ("firewalld", "ufw")
  | rename host as dest
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY type pid comm
       exe unit dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_disable_or_modify_system_firewall_filter`