This alert gets triggered when there are no logs from the firewall in the last 12 hours. Note - Please feel free to change the duration as per your corporate policy. Impact If critical services such as firewalls fail to generate logs, it could significantly compromise security defense, as it would render all abnormal traffic and requests undetected and unverified. This includes major attacks such as DoS, DDoS, C2C, Tor connection requests, etc. Additionally, any connections that manage to bypass security controls might go unnoticed. Mitigation Examine the most recent event logged by the firewall and verify the configuration of its integration with the logs. Next, inspect the firewall console manually for any triggered events. If any issues are found, contact the engineering team for resolution or to reconfigure the connection. Finally, thoroughly review critical events from the past 12 hours to confirm no suspicious activity was overlooked. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert gets triggered when a firewall policy is deleted. A firewall policy defines how an organization's firewalls should handle inbound and outbound network traffic for specific IP addresses and address ranges, protocols, applications, and content types based on the organization's information security policies. Impact Typically, such an event doesn't occur unless there's a test policy or a valid business justification. Deleting a firewall policy could potentially create backdoors or entry points for attackers to infiltrate the corporate network, facilitating various malicious activities such as data exfiltration, privilege escalation, persistent execution, and malicious file installation. Mitigation Review the logs to determine the type of policy that was deleted. If it appears to be a test or expected deletion, you may close the event. However, if it seems unexpected, contact the user to request justification. In the absence of justification, create a new policy similar to the deleted one. Additionally, analyze the timeline gap between deletion and creation times to verify that no unusual events or attackers entered the network during that period. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert gets triggered when a firewall rule is deleted. Firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration you specify. By creating a firewall rule, you specify a Virtual Private Cloud (VPC) network and a set of components that define what the rule does. Impact Typically, such an event does not occur unless there's a test rule or a valid business justification. Deleting firewall rules could potentially create backdoors or entry points for attackers to infiltrate the corporate network, leading to various malicious activities such as data exfiltration, privilege escalation, persistent execution, and malicious file installation. Mitigation Review the logs to identify the type of rule that has been deleted. If it appears to be a test or anticipated rule, you may close the event. Otherwise, contact the user to request justification. If justification is not provided, create a new rule similar to the deleted one. Additionally, analyze the timeline gap between the deletion and creation times to ensure that no unusual events or attackers have entered the network during that period. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert gets triggered when there are critical changes made to the existing firewall rule. Note - In this alert, we are checking only the source IP set to 0.0.0.0/0 or if the firewall rule has been disabled. Feel free to add more events in the query to enhance your monitoring. Impact Significant alterations to the firewall rules can either permit or block unauthorized or legitimate requests attempting to access the network. Therefore, it's crucial to carefully examine the rule permitting access to 0.0.0.0/0, as well as any disabled rules, as disabling them could result in continuous monitoring being deactivated, potentially allowing suspicious connections to slip by unnoticed. Mitigation Ensure that the ability to edit firewall rules is limited exclusively to administrators and authorized personnel, such as SRE and the Infrastructure Engineering team. In the event of such an action, promptly reach out to the user for validation. If a valid justification and approval are provided, proceed to close the alert. Otherwise, revert the changes, notify the respective manager, and restrict permissions for that user accordingly. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert gets triggered when a new firewall rule is created. Firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration you specify. By creating a firewall rule, you specify a Virtual Private Cloud (VPC) network and a set of components that define what the rule does. Note - Kindly make a process around filtering the test and production rules (applying test, QA, production labels, or keywords in the title) to reduce the false positives and monitor only critical production events. Impact Misconfigured firewall rules or permitting traffic from malicious sources pose significant risks to your infrastructure, devices, and data. Attackers could exploit allowed ports and IP addresses to infiltrate your network, enabling actions such as data exfiltration, privilege escalation, persistent execution, and malicious file installation. Mitigation Examine the established rule to ascertain which connections are permitted or denied. If the rule appears legitimate, you may conclude the investigation. However, if any discrepancies are detected, contact the user for justification and proceed to modify or delete the rule accordingly, unless a valid business justification is provided. MITRE Tactic: TA0011 MITRE Technique: T1071

This alert gets triggered when a new firewall policy is created. A firewall policy defines how an organization's firewalls should handle inbound and outbound network traffic for specific IP addresses and address ranges, protocols, applications, and content types based on the organization's information security policies. Impact A firewall policy consists of various rules set by the user or organization. Therefore, it's crucial to monitor the creation of policies and the assignment of rules to each one. Unverified policies and rules, without thorough validation and analysis, could adversely affect inbound and outbound network connections, leading to server errors, network inaccessibility, and other disruptions. Mitigation Examine the established policies to determine which connections are permitted or restricted. If they appear legitimate, you may conclude the investigation. However, if any discrepancies are noted, reach out to the user for justification and proceed to modify or delete the rule accordingly, unless a valid business justification is provided. MITRE Tactic: TA0011 MITRE Technique: T1071