Detection: Windows Firewall Rule Added

Description

This detection identifies instances where a Windows Firewall rule is added by monitoring Event ID 4946 in the Windows Security Event Log. Firewall rule modifications can indicate legitimate administrative actions, but they may also signal unauthorized changes, misconfigurations, or malicious activity such as attackers allowing traffic for backdoors or persistence mechanisms. By analyzing fields like RuleName, RuleId, Computer, and ProfileChanged, security teams can determine whether the change aligns with expected behavior. Correlating with user activity and process execution can help distinguish false positives from real threats, ensuring better visibility into potential security risks.

Search

1`wineventlog_security` EventCode=4946 
2| stats count min(_time) as firstTime max(_time) as lastTime by RuleName signature subject status dest ProcessID 
3| `security_content_ctime(firstTime)` 
4| `security_content_ctime(lastTime)` 
5| `windows_firewall_rule_added_filter`

Data Source

Name	Platform	Sourcetype	Source
Windows Event Log Security 4946	Windows	'xmlwineventlog'	'XmlWinEventLog:Security'

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

This detection is based on data collected from Endpoint Detection and Response (EDR) agents, which provide security-related telemetry from monitored endpoints. Specifically, it focuses on Windows Security Event Log entries with EventID 4946, which indicates that a new Windows Firewall rule has been added. To implement this detection in Splunk, you must ingest Windows Security Event Logs that capture EventID 4946, ensuring that critical fields such as _time, EventRecordID, ProcessID, ThreadID, Computer, ProfileChanged, RuleName, and RuleId are available for analysis. These logs must be processed using the appropriate Splunk Technology Add-ons (TAs) to ensure compatibility with the EDR product and proper field extraction. Additionally, mapping these logs to the appropriate data model, such as the Endpoint data model, enhances structured analysis. Leveraging the Splunk Common Information Model (CIM) helps normalize field names, ensuring consistency across different data sources. By implementing this approach, you can effectively detect and monitor Windows Firewall rule modifications, providing visibility into potential security risks or unauthorized changes.

Known False Positives

Legitimate admin changes, Group Policy updates, software installs, security tools, and automated scripts can trigger false positives for Event ID 4946.

Associated Analytic Story

• Medusa Ransomware

• ShrinkLocker

Risk Based Analytics (RBA)

Risk Message:

a new firewall rule $RuleName$ added on $dest$.

References

• https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4946

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1