Firewall Rule Additions
This query correlates processes with Windows Firewall rule modifications they triggered, identifying which executables are creating or modifying firewall rules.
EDRhunting
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read
Query
#event_simpleName=ProcessRollup2
| join({#event_simpleName=FirewallSetRule}, key=ContextProcessId, field=TargetProcessId, include=[FirewallRule, FirewallRuleId])
| ImageFileName=/.*\\(?<fileName>.*\..*)/
| table([aid, UserSid, fileName, FirewallRuleId, FirewallRule, ImageFileName, CommandLine])Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.