Skip to content

Commit

Permalink
Updated schema and attack mapping for Windows Firewall With Advanced …
Browse files Browse the repository at this point in the history 
…Security events

- log_source: Microsoft-Windows-Windows Firewall With Advanced Security
- issue created in OSSEM-DD: Creation of dictionaries required - OTRF/OSSEM-DD#39
  • Loading branch information
@Cyb3rPandaH
Cyb3rPandaH committed Jun 28, 2022
1 parent a1ee4c7 commit 3759cea
Show file tree
Hide file tree
Showing 15 changed files with 1,084 additions and 150 deletions.
92 changes: 48 additions & 44 deletions relationships/_all_ossem_relationships.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1730,7 +1730,10 @@
"contributors": [
"Jose Rodriguez @Cyb3rPandaH"
],
"attack": null,
"attack": {
"data_source": "Firewall",
"data_component": "firewall rule modification"
},
"behavior": {
"source": "process",
"relationship": "removed",
Expand All @@ -1741,16 +1744,12 @@
"event_id": 2006,
"name": "A rule has been deleted in the Windows Defender Firewall exception list",
"platform": "windows",
"audit_category": null,
"audit_sub_category": null,
"log_channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
"log_provider": "Microsoft-Windows-Windows Firewall With Advanced Security"
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security",
"event_version": []
}
],
"references": null,
"notes": [
"Potential contribution for ATT&CK - Firewall / firewall rule modification"
]
"notes": null
},
{
"relationship_id": "REL-2022-0039",
Expand Down Expand Up @@ -3991,7 +3990,10 @@
"contributors": [
"Jose Rodriguez @Cyb3rPandaH"
],
"attack": null,
"attack": {
"data_source": "Firewall",
"data_component": "firewall rule modification"
},
"behavior": {
"source": "process",
"relationship": "added",
Expand All @@ -4002,16 +4004,12 @@
"event_id": 2004,
"name": "A rule has been added to the Windows Defender Firewall exception list",
"platform": "windows",
"audit_category": null,
"audit_sub_category": null,
"log_channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
"log_provider": "Microsoft-Windows-Windows Firewall With Advanced Security"
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security",
"event_version": []
}
],
"references": null,
"notes": [
"Potential contribution for ATT&CK - Firewall / firewall rule modification"
]
"notes": null
},
{
"relationship_id": "REL-2022-0089",
Expand Down Expand Up @@ -4305,7 +4303,10 @@
"contributors": [
"Jose Rodriguez @Cyb3rPandaH"
],
"attack": null,
"attack": {
"data_source": "Firewall",
"data_component": "firewall rule modification"
},
"behavior": {
"source": "process",
"relationship": "modified",
Expand All @@ -4316,16 +4317,12 @@
"event_id": 2005,
"name": "A rule has been modified in the Windows Defender Firewall exception list.",
"platform": "windows",
"audit_category": null,
"audit_sub_category": null,
"log_channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
"log_provider": "Microsoft-Windows-Windows Firewall With Advanced Security"
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security",
"event_version": []
}
],
"references": null,
"notes": [
"Potential contribution for ATT&CK - Firewall / firewall rule modification"
]
"notes": null
},
{
"relationship_id": "REL-2022-0096",
Expand Down Expand Up @@ -5359,7 +5356,8 @@
"event_id": 2006,
"name": "A rule has been deleted in the Windows Defender Firewall exception list",
"platform": "windows",
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security",
"event_version": []
},
{
"event_id": "cloudtrail",
Expand All @@ -5382,7 +5380,8 @@
"event_id": 2033,
"name": "All rules have been deleted from the Windows Firewall configuration on this computer.",
"platform": "windows",
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security",
"event_version": []
}
],
"references": null,
Expand Down Expand Up @@ -5802,7 +5801,8 @@
"event_id": 2009,
"name": "The Windows Firewall service failed to load Group Policy.",
"platform": "windows",
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security",
"event_version": []
}
],
"references": null,
Expand Down Expand Up @@ -7039,7 +7039,10 @@
"contributors": [
"Jose Rodriguez @Cyb3rPandaH"
],
"attack": null,
"attack": {
"data_source": "Firewall",
"data_component": "firewall metadata"
},
"behavior": {
"source": "user",
"relationship": "modified",
Expand All @@ -7050,13 +7053,15 @@
"event_id": 2002,
"name": "A Windows Defender Firewall setting has changed.",
"platform": "windows",
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security",
"event_version": []
},
{
"event_id": 2003,
"name": "A Windows Defender Firewall setting in the Private profile has changed.",
"platform": "windows",
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security",
"event_version": []
}
],
"references": null,
Expand Down Expand Up @@ -7876,7 +7881,8 @@
"platform": "windows",
"audit_category": null,
"audit_sub_category": null,
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security",
"event_version": []
},
{
"event_id": "cloudtrail",
Expand Down Expand Up @@ -8450,7 +8456,8 @@
"event_id": 2005,
"name": "A rule has been modified in the Windows Defender Firewall exception list.",
"platform": "windows",
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security",
"event_version": []
},
{
"event_id": "cloudtrail",
Expand Down Expand Up @@ -8479,7 +8486,10 @@
"contributors": [
"Jose Rodriguez @Cyb3rPandaH"
],
"attack": null,
"attack": {
"data_source": "Firewall",
"data_component": "firewall metadata"
},
"behavior": {
"source": "process",
"relationship": "modified",
Expand All @@ -8490,25 +8500,19 @@
"event_id": 2002,
"name": "A Windows Defender Firewall setting has changed.",
"platform": "windows",
"audit_category": null,
"audit_sub_category": null,
"log_channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
"log_provider": "Microsoft-Windows-Windows Firewall With Advanced Security"
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security",
"event_version": []
},
{
"event_id": 2003,
"name": "A Windows Defender Firewall setting in the Private profile has changed.",
"platform": "windows",
"audit_category": null,
"audit_sub_category": null,
"log_channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
"log_provider": "Microsoft-Windows-Windows Firewall With Advanced Security"
"log_source": "Microsoft-Windows-Windows Firewall With Advanced Security",
"event_version": []
}
],
"references": null,
"notes": [
"Potential contribution for ATT&CK - Firewall / firewall modification (New data component and relationship)"
]
"notes": null
},
{
"relationship_id": "REL-2022-0181",
Expand Down
Loading

0 comments on commit 3759cea

Please sign in to comment.