Detection rules › Splunk
Windows Firewall Rule Modification
This detection identifies instances where a Windows Firewall rule has been modified, which may indicate an attempt to alter security policies. Unauthorized modifications can weaken firewall protections, allowing malicious traffic or preventing legitimate communications. The event logs details such as the modified rule name, protocol, ports, application path, and the user responsible for the change. Security teams should monitor unexpected modifications, correlate them with related events, and investigate anomalies to prevent unauthorized access and maintain network security integrity.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562.004 Impair Defenses: Disable or Modify System Firewall |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4947 | A change has been made to Windows Firewall exception list. A rule was modified. |
Stages and Predicates
Stage 1: search
search EventCode=4947
Stage 2: stats
stats BY RuleName, signature, subject, status, dest, ProcessID
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|