Windows firewall monitoring using EventLog Analyzer
This tutorial helps you navigate the capabilities of EventLog Analyzer in monitoring Windows firewall.
Before you start viewing the audit reports, enabling the detection rules, and generating compliance reports, ensure that you've enabled logging for firewalls in the EventLog Analyzer console.
Monitoring Windows firewalls using EventLog Analyzer: Use cases
EventLog Analyzer covers the following firewall monitoring use cases with its security reports. These reports are predefined and can be scheduled to be generated at specific times and distributed over email.
Use Case | Description | Why implement? | Available reports |
---|---|---|---|
Firewall rule configuration management | Monitor and manage all changes to firewall rules, settings, and group policies to ensure a secure and optimized network environment. | Ensures adherence to security policies, maintains a strong security posture, and simplifies compliance audits. |
|
Monitor Group Policy-driven changes | Logs changes to firewall settings implemented through group policies across the network. | Ensure centralized configurations are not misused or overridden. |
|
Audit firewall settings restorations | Identifies instances of firewall settings being restored to defaults, which might lower security. | Detect intentional or accidental rollbacks that can weaken protection. |
|
Threat detection use cases
The following table lists the threat detection use cases covered for firewalls by EventLog Analyzer. The solution also offers a custom correlation rule builder for creating detection rules by users.
Use Case | Description | Why implement? | Available detection alerts and correlation rules |
---|---|---|---|
Firewall spoof attack | Detect attempts to impersonate trusted devices in order to bypass firewall security. | Spoofing can allow unauthorized access to a network, bypassing security measures. | The Firewall Spoof Attack alert profile detects and alerts on network traffic that mimics trusted devices, helping identify unauthorized access attempts. |
Firewall internet protocol half-scan attack | Identify incomplete or partial scan attempts targeting open ports to gather network information. | A half-scan attack is often used for reconnaissance, allowing attackers to exploit vulnerabilities later. | The Firewall Internet Protocol Half-Scan Attack alert profile detects and alerts on incomplete scanning activities targeting open ports, providing visibility into suspicious reconnaissance behavior. |
Firewall flood attack | Monitor for high volumes of traffic aiming to overwhelm firewall resources or disrupt communication. | Flood attacks exhaust system resources, potentially causing service outages or slowing down critical services. | The Firewall Flood Attack alert profile detects and alerts on high-volume traffic patterns that could overwhelm system resources, assisting in identifying flood-based attacks. |
Firewall ping of death attack | Detect oversized or malformed ICMP packets designed to crash or freeze devices within the network. | A ping of death can lead to device crashes or system instability, making the network vulnerable to other attacks. | The Firewall Ping of Death Attack alert profile detects and alerts on unusually large or malformed ICMP packets, signaling potential ping of death attacks aimed at crashing systems. |
Firewall SYN attack | Identify SYN flood attacks, where malicious traffic targets the connection table of a firewall. | SYN attacks overwhelm connection tables, causing system slowdowns or crashes, leading to service disruptions. | The Firewall SYN Attack alert profile detects and alerts on patterns of SYN flood attacks targeting system connection tables, aiding in the identification of SYN-based disruption efforts. |
Compliance use cases Network security is a critical foundation for any organization, and firewalls play a vital role in protecting sensitive data by controlling network traffic flow. This table explores how Windows firewall monitoring reports can be utilized to address specific compliance requirements for data security and access control.
Compliance requirement: Solution mapping for firewall platforms | |||
---|---|---|---|
EventLog Analyzer reports and alerts | Detection rules | Regulatory mandates | Requirements |
|
|
|
|
|
|
||
|
|
Cyber Essentials | Boundary firewalls and internet gateways |