Windows firewall monitoring using EventLog Analyzer

This tutorial helps you navigate the capabilities of EventLog Analyzer in monitoring Windows firewall.

Before you start viewing the audit reports, enabling the detection rules, and generating compliance reports, ensure that you've enabled logging for firewalls in the EventLog Analyzer console.

Monitoring Windows firewalls using EventLog Analyzer: Use cases

EventLog Analyzer covers the following firewall monitoring use cases with its security reports. These reports are predefined and can be scheduled to be generated at specific times and distributed over email.

Use Case Description Why implement? Available reports
Firewall rule configuration management Monitor and manage all changes to firewall rules, settings, and group policies to ensure a secure and optimized network environment. Ensures adherence to security policies, maintains a strong security posture, and simplifies compliance audits.
  • Windows Firewall Rule Added
  • Windows Firewall Rule Modified
  • Windows Firewall Rule Deleted
  • Windows Firewall Settings Changed
Monitor Group Policy-driven changes Logs changes to firewall settings implemented through group policies across the network. Ensure centralized configurations are not misused or overridden.
  • Windows Firewall Group Policy Changes
Audit firewall settings restorations Identifies instances of firewall settings being restored to defaults, which might lower security. Detect intentional or accidental rollbacks that can weaken protection.
  • Windows Firewall Settings Restored

Threat detection use cases

The following table lists the threat detection use cases covered for firewalls by EventLog Analyzer. The solution also offers a custom correlation rule builder for creating detection rules by users.

Use Case Description Why implement? Available detection alerts and correlation rules
Firewall spoof attack Detect attempts to impersonate trusted devices in order to bypass firewall security. Spoofing can allow unauthorized access to a network, bypassing security measures. The Firewall Spoof Attack alert profile detects and alerts on network traffic that mimics trusted devices, helping identify unauthorized access attempts.
Firewall internet protocol half-scan attack Identify incomplete or partial scan attempts targeting open ports to gather network information. A half-scan attack is often used for reconnaissance, allowing attackers to exploit vulnerabilities later. The Firewall Internet Protocol Half-Scan Attack alert profile detects and alerts on incomplete scanning activities targeting open ports, providing visibility into suspicious reconnaissance behavior.
Firewall flood attack Monitor for high volumes of traffic aiming to overwhelm firewall resources or disrupt communication. Flood attacks exhaust system resources, potentially causing service outages or slowing down critical services. The Firewall Flood Attack alert profile detects and alerts on high-volume traffic patterns that could overwhelm system resources, assisting in identifying flood-based attacks.
Firewall ping of death attack Detect oversized or malformed ICMP packets designed to crash or freeze devices within the network. A ping of death can lead to device crashes or system instability, making the network vulnerable to other attacks. The Firewall Ping of Death Attack alert profile detects and alerts on unusually large or malformed ICMP packets, signaling potential ping of death attacks aimed at crashing systems.
Firewall SYN attack Identify SYN flood attacks, where malicious traffic targets the connection table of a firewall. SYN attacks overwhelm connection tables, causing system slowdowns or crashes, leading to service disruptions. The Firewall SYN Attack alert profile detects and alerts on patterns of SYN flood attacks targeting system connection tables, aiding in the identification of SYN-based disruption efforts.

Compliance use cases Network security is a critical foundation for any organization, and firewalls play a vital role in protecting sensitive data by controlling network traffic flow. This table explores how Windows firewall monitoring reports can be utilized to address specific compliance requirements for data security and access control.

Compliance requirement: Solution mapping for firewall platforms
EventLog Analyzer reports and alerts Detection rules Regulatory mandates Requirements
  • Windows FireWall Rule Added
  • Windows FireWall Rule Modified
  • Windows FireWall Rule Deleted
  • Windows Firewall Settings Restored
  • Windows Firewall Settings Changed
  • Windows Firewall Group Policy Changes
  • Rule added
  • Rule modified
  • Rule deleted
  • Setting modified
  • PCI DSS
  • Cyber Essentials
  • PCI DSS requirements 10.2.3
  • Secure Configuration
  • COCO
  • NERC
  • Physical Security
  • CIP 007-6 R1.1
  • CIP 009-6 R1.3
  • Firewall Spoof Attack
  • Firewall Internet Protocol half-scan attack
  • Firewall Flood Attack
  • Firewall Ping of Death Attack
  • Firewall SYN Attack
  • Spoof attack detected
  • Flood attack detected
  • Ping of death attack detected
  • SYN attack detected
Cyber Essentials Boundary firewalls and internet gateways
 

Additional Resource