Detection rules › Splunk
Windows Firewall Rule Added
This detection identifies instances where a Windows Firewall rule is added by monitoring Event ID 4946 in the Windows Security Event Log. Firewall rule modifications can indicate legitimate administrative actions, but they may also signal unauthorized changes, misconfigurations, or malicious activity such as attackers allowing traffic for backdoors or persistence mechanisms. By analyzing fields like RuleName, RuleId, Computer, and ProfileChanged, security teams can determine whether the change aligns with expected behavior. Correlating with user activity and process execution can help distinguish false positives from real threats, ensuring better visibility into potential security risks.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562.004 Impair Defenses: Disable or Modify System Firewall |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4946 | A change has been made to Windows Firewall exception list. A rule was added. |
Stages and Predicates
Stage 1: search
search EventCode=4946
Stage 2: stats
stats BY RuleName, signature, subject, status, dest, ProcessID
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|