Windows Firewall¶
About¶
Windows Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network.
Product Details¶
Vendor URL: Windows Firewall
Product Type: Host-based Firewall
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Syslog Integration - Cyderes Documentation
Log Guide: www.learn.microsoft.com
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90%
Data Label: WINDOWS_FIREWALL
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| AccountName | principal.user.userid |
| AccountType | principal.user.role_description |
| Channel | observer.application |
| Domain | principal.administrative_domain |
| EventID | metadata.product_event_type |
| Hostname | principal.hostname |
| LocalPorts | principal.port |
| ModifyingApplication | target.application |
| ModifyingUser | security_result.about.user.userid |
| ProcessID | principal.process.pid |
| ProviderGuid | metadata.product_log_id |
| RuleId | security_result.rule_id |
| RuleName | security_result.rule_name |
| Severity | security_result.severity |
| Severity | security_result.severity_details |
| SourceName | principal.application |
| UserID | principal.user.windows_sid |
Product Event Types¶
Some products we only support certain event types. Here are the supported Windows Firewall Event IDs.
| Windows Event ID | Event Description | UDM Event Classification |
|---|---|---|
| 2004 | "A rule has been added to the Windows Firewall exception list" | "RESOURCE_CREATION" |
| 2005 | "A rule has been modified in the Windows Firewall exception list." | "RESOURCE_WRITTEN" |
| 2006 | "A rule has been deleted in the Windows Firewall exception list." | "RESOURCE_DELETION" |
| 2011 | "Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network." | "GENERIC_EVENT" |
| 2033 | "All rules have been deleted from the Windows Firewall configuration on this computer." | "RESOURCE_DELETION" |
Log Sample¶
{"EventTime":"2022-09-29T02:49:11.358751-05:00","Hostname":"Hostname1","Keywords":-9223369837831520256,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":2004,"SourceName":"Microsoft-Windows-Windows Firewall With Advanced Security","ProviderGuid":"{EXAMPLE-GUID}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":8325,"ProcessID":2900,"ThreadID":27524,"Channel":"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"A rule has been added to the Windows Defender Firewall exception list.\r\n\r\nAdded Rule:\r\n\tRule ID:\t{387c428e-411d-43fa-8d68-2e504c206db6}\r\n\tRule Name:\tInternet Connection Sharing (DHCP Server-In)\r\n\tOrigin:\tDynamic\r\n\tActive:\tNo\r\n\tDirection:\tInbound\r\n\tProfiles:\tPrivate,Domain, Public\r\n\tAction:\tAllow\r\n\tApplication Path:\tC:\\WINDOWS\\system32\\svchost.exe\r\n\tService Name:\tSharedAccess\r\n\tProtocol:\tUDP\r\n\tSecurity Options:\tC:\\Windows\\System32\\svchost.exe\r\n\tEdge Traversal:\tNone\r\n\tModifying User:\t542\r\n\tModifying Application:\t65536","Opcode":"Info","RuleId":"{387c428e-411d-43fa-8d68-2e504c206db6}","RuleName":"Internet Connection Sharing (DHCP Server-In)","Origin":"3","ApplicationPath":"C:\\WINDOWS\\system32\\svchost.exe","ServiceName":"SharedAccess","Direction":"1","Protocol":"17","LocalPorts":"67","RemotePorts":"*","Action":"3","Profiles":"7","LocalAddresses":"*","RemoteAddresses":"*","EmbeddedContext":"@ipnathlp.dll,-140","Flags":"1","Active":"1","EdgeTraversal":"0","LooseSourceMapped":"0","SecurityOptions":"0","ModifyingUser":"S-1-5-18","ModifyingApplication":"C:\\Windows\\System32\\svchost.exe","SchemaVersion":"542","RuleStatus":"65536","LocalOnlyMapped":"0","EventReceivedTime":"2022-09-29 02:49:22","SourceModuleName":"windows_firewall","SourceModuleType":"im_msvistalog"}
Sample Parsing¶
metadata.event_timestamp = "2022-09-29T02:49:11.358751z"
metadata.event_type = RESOURCE_CREATION
metadata.product_event_type = 2004
metadata.product_log_id = "{EXAMPLE-GUID}"
observer.application = "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
metadata.description = "A rule has been added to the Windows Firewall exception list"
principal.administrative_domain = "NT AUTHORITY"
principal.application = "Microsoft-Windows-Windows Firewall With Advanced Security"
principal.hostname = "Hostname1"
principal.port = "67"
principal.process.pid = "2900"
principal.user.role_description = "Well Known Group"
principal.user.userid = "LOCAL SERVICE"
principal.user.windows_sid = "S-1-5-19"
security_result.about.user.userid = "S-1-5-18"
security_result.rule_id = {387c428e-411d-43fa-8d68-2e504c206db6}
security_result.rule_name = "Internet Connection Sharing (DHCP Server-In)"
security_result.severity = INFORMATIONAL
security_result.severity_details = "INFO"
target.application = "C:\\Windows\\System32\\svchost.exe"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon