โ
Case #587
service.NIX-Host_Based_Firewall_Disabled
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
00326-NIX-Host_Based_Firewall_Disabled
high
Rule: service.NIX-Host_Based_Firewall_Disabled
Hostname: fusionserver ยท Sensor: 04e68799-92b7-41...
Event Type: NEW_PROCESS
Confidence: 95% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
/usr/sbin/iptables -F ufw-logging-allow
FILE_PATH:
/usr/sbin/xtables-nft-multi
HASH:
a1610dd70bb5ab04180671280df65b0077b680b627c0b6c51480b327732a762d
PARENT:
{'COMMAND_LINE': '/usr/bin/python3 /usr/sbin/ufw enable', 'FILE_PATH': '/usr/bin/python3.12', 'HASH': '8295ee25cfdb239f3e165afceda7f46de73e2b606ff0e2e3d8623e3facd30acc', 'MEMORY_USAGE': 16281600, 'PARENT_PROCESS_ID': 114528, 'PROCESS_ID': 114529, 'THIS_ATOM': '48add28300d7fec91063c11e69ca0248', 'THREADS': 1, 'TIMESTAMP': 1774846535516, 'USER_ID': 0, 'USER_NAME': 'root'}
PARENT_PROCESS_ID:
114529
PROCESS_ID:
114649
USER_ID:
0
USER_NAME:
root
IOCs:
/usr/sbin/xtables-nft-multi
/usr/sbin/iptables -F ufw-logging-allow
a1610dd70bb5ab04180671280df65b0077b680b627c0b6c51480b327732a762d
MITRE:
T1562.004
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
"cat": "00326-NIX-Host_Based_Firewall_Disabled",
"detect": {
"event": {
"COMMAND_LINE": "/usr/sbin/iptables -F ufw-logging-allow",
"FILE_PATH": "/usr/sbin/xtables-nft-multi",
"HASH": "a1610dd70bb5ab04180671280df65b0077b680b627c0b6c51480b327732a762d",
"PARENT": {
"COMMAND_LINE": "/usr/bin/python3 /usr/sbin/ufw enable",
"FILE_PATH": "/usr/bin/python3.12",
"HASH": "8295ee25cfdb239f3e165afceda7f46de73e2b606ff0e2e3d8623e3facd30acc",
"MEMORY_USAGE": 16281600,
"PARENT_PROCESS_ID": 114528,
"PROCESS_ID": 114529,
"THIS_ATOM": "48add28300d7fec91063c11e69ca0248",
"THREADS": 1,
"TIMESTAMP": 1774846535516,
"USER_ID": 0,
"USER_NAME": "root"
},
"PARENT_PROCESS_ID": 114529,
"PROCESS_ID": 114649,
"USER_ID": 0,
"USER_NAME": "root"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "f1346683-d647-42c0-b226-8f55589fbc97",
"event_time": 1774846540047,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "fusionserver",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.1.6",
"latency": 1570,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "48add28300d7fec91063c11e69ca0248",
"plat": 536870912,
"sid": "04e68799-92b7-411a-9abf-293a59ff94df",
"tags": [
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "9e56f7fd9ab476fb165ce57869ca024c"
}
},
"detect_id": "a9dc113f-a886-419f-99be-1bb269ca024d",
"detect_mtd": {
"description": "Iptables, Firewalld, and UFW are builtin firewall implementations in Linux distributions. Adversaries may disable the firewall in order to bypass controls of network use.",
"falsepositives": [
"System Administrators may infrequently disable or stop the firewall to troubleshoot issues."
],
"references": [
"https://attack.mitre.org/techniques/T1562/004/",
"https://threatpost.com/six-malicious-linux-shell-scripts-how-to-stop-them/168127/",
"https://www.cyberciti.biz/faq/linux-howto-disable-remove-firewall/"
],
"tags": [
"attack.t1562",
"attack.t1562.004"
]
},
"gen_time": 1774846541617,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/04e68799-92b7-411a-9abf-293a59ff94df/timeline?time=1774846540\u0026selected=9e56f7fd9ab476fb165ce57869ca024c",
"namespace": "general",
"priority": 2,
"routing": {
"arch": 2,
"did": "",
"event_id": "f1346683-d647-42c0-b226-8f55589fbc97",
"event_time": 1774846540047,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "fusionserver",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.1.6",
"latency": 1570,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "48add28300d7fec91063c11e69ca0248",
"plat": 536870912,
"sid": "04e68799-92b7-411a-9abf-293a59ff94df",
"tags": [
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "9e56f7fd9ab476fb165ce57869ca024c"
},
"rule_tags": [
"attack.t1562.004",
"attack.t1562",
"ext:soteria-rules-edr"
],
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.04e68799-92b7-411a-9abf-293a59ff94df.20000000.2",
"source_rule": "service.NIX-Host_Based_Firewall_Disabled",
"ts": 1774846541000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 11,
"undetected": 65
}
}
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "Parent process is ufw enable, indicating legitimate firewall configuration rather than disabling. Historical data shows 100% FP rate for this pattern.",
"investigation_questions": [
"Was this change authorized by the system administrator?",
"Is UFW currently active on this host?"
],
"ioc_analysis": "The binary /usr/sbin/xtables-nft-multi is a standard Linux networking utility located in a system directory. The command line \u0027iptables -F ufw-logging-allow\u0027 is consistent with UFW chain initialization during enablement. Historical data confirms this pattern is a known false positive.",
"iocs_extracted": [
"/usr/sbin/xtables-nft-multi",
"/usr/sbin/iptables -F ufw-logging-allow",
"a1610dd70bb5ab04180671280df65b0077b680b627c0b6c51480b327732a762d"
],
"mitre_techniques": [
"T1562.004"
],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (majority)",
"Verify UFW status on the host",
"Mark rule as false positive for this host if confirmed legitimate"
],
"risk_score": 10,
"severity": "high",
"summary": "**Vote: MAJORITY (1/1 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udde0 dgx-122b Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe process is part of the legitimate UFW enablement workflow on Linux. The parent process explicitly runs \u0027ufw enable\u0027, indicating administrative configuration rather than malicious disabling of protections.\n\n**IOC Analysis:** The binary /usr/sbin/xtables-nft-multi is a standard Linux networking utility located in a system directory. The command line \u0027iptables -F ufw-logging-allow\u0027 is consistent with UFW chain initialization during enablement. Historical data confirms this pattern is a known false positive.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 deepseek-r1:14b Analysis (Secondary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 gemma3:4b Analysis (Secondary)\nFailed or timed out.",
"verdict": "false_positive",
"voting": {
"auto_action": "manual_review",
"mode": "majority",
"total_models": 1,
"vote_summary": [
"dgx-122b: false_positive (low, 95% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "dgx-122b",
"verdict": "false_positive"
}
],
"winning_count": 1,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/04e68799-92b7-411a-9abf-293a59ff94df/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-30T05:13
๐ค FusionSOC AI
2026-03-30T05:13
๐ค FusionSOC AI
2026-03-30T05:13
๐ค FusionSOC AI
2026-03-30T05:13
๐ Timeline
2026-03-30T05:34:07
analyst
Status changed: investigating โ closed
2026-03-30T05:34:05
analyst
Analyst classified as False Positive (FP)
2026-03-30T05:13:54
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (1/1 โ FALSE POSITIVE) - dgx-122b: false_positive (low, 95% conf...
2026-03-30T05:13:13
FusionSOC AI
Status changed: investigating โ investigating
2026-03-30T05:13:13
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-30T05:13:13
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Mark rule as false positive for this host if confirmed legitimate **Sensor:** `0...
2026-03-30T05:13:13
FusionSOC
Response action queued: recommended on Mark rule as false positive for this host if confirmed legitimate
2026-03-30T05:13:13
FusionSOC AI
Status changed: open โ investigating
2026-03-30T05:13:13
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-30T05:13:13
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Verify UFW status on the host **Sensor:** `04e68799-92b7-41...` **Time Window:**...
2026-03-30T05:13:12
FusionSOC
Response action queued: recommended on Verify UFW status on the host
2026-03-30T05:13:12
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/04e68799-92b7-411a-9abf-293a59ff94df/tags?tags=fusionsoc-investigated
2026-03-30T05:13:12
FusionSOC
Response action queued: tag on 04e68799-92b7-411a-9abf-293a59ff94df:fusionsoc-investigated
2026-03-30T05:13:12
FusionSOC AI
Detection a9dc113f-a886-419f-99be-1bb269ca024d triaged as false_positive (low severity, confidence: 95%)
2026-03-30T05:13:12
FusionSOC AI
Case created from detection: service.NIX-Host_Based_Firewall_Disabled