{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00326-NIX-Host_Based_Firewall_Disabled",
  "detect": {
    "event": {
      "COMMAND_LINE": "/usr/sbin/iptables -F ufw-caps-test3f_1fjz0",
      "FILE_PATH": "/usr/sbin/xtables-nft-multi",
      "HASH": "a1610dd70bb5ab04180671280df65b0077b680b627c0b6c51480b327732a762d",
      "PARENT_PROCESS_ID": 114442,
      "PROCESS_ID": 114447,
      "USER_ID": 0,
      "USER_NAME": "root"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "8b1fdee5-f6d7-4604-9989-e5556c849c69",
      "event_time": 1774846396491,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "fusionserver",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.1.6",
      "latency": 6559,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "plat": 536870912,
      "sid": "04e68799-92b7-411a-9abf-293a59ff94df",
      "tags": [
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "01e35b6fd32cac3ecbb20d2a69ca01bd"
    }
  },
  "detect_id": "096213b7-e647-4135-b1ae-830669ca01c3",
  "detect_mtd": {
    "description": "Iptables, Firewalld, and UFW are builtin firewall implementations in Linux distributions. Adversaries may disable the firewall in order to bypass controls of network use.",
    "falsepositives": [
      "System Administrators may infrequently disable or stop the firewall to troubleshoot issues."
    ],
    "references": [
      "https://attack.mitre.org/techniques/T1562/004/",
      "https://threatpost.com/six-malicious-linux-shell-scripts-how-to-stop-them/168127/",
      "https://www.cyberciti.biz/faq/linux-howto-disable-remove-firewall/"
    ],
    "tags": [
      "attack.t1562",
      "attack.t1562.004"
    ]
  },
  "gen_time": 1774846403051,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/04e68799-92b7-411a-9abf-293a59ff94df/timeline?time=1774846396\u0026selected=01e35b6fd32cac3ecbb20d2a69ca01bd",
  "namespace": "general",
  "priority": 2,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "8b1fdee5-f6d7-4604-9989-e5556c849c69",
    "event_time": 1774846396491,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "fusionserver",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.1.6",
    "latency": 6559,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "plat": 536870912,
    "sid": "04e68799-92b7-411a-9abf-293a59ff94df",
    "tags": [
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "01e35b6fd32cac3ecbb20d2a69ca01bd"
  },
  "rule_tags": [
    "attack.t1562.004",
    "attack.t1562",
    "ext:soteria-rules-edr"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.04e68799-92b7-411a-9abf-293a59ff94df.20000000.2",
  "source_rule": "service.NIX-Host_Based_Firewall_Disabled",
  "ts": 1774846403000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 11,
      "undetected": 65
    }
  }
}

{
  "confidence": 0.95,
  "false_positive_reason": "Historical data shows 4/4 false positives for this exact pattern. Command line indicates legitimate UFW temporary chain management.",
  "investigation_questions": [
    "Is this host part of an automated configuration management system?",
    "Are there corresponding UFW logs confirming this chain flush?"
  ],
  "ioc_analysis": "The binary /usr/sbin/xtables-nft-multi is a standard Linux system utility located in a trusted directory. The command line targets a UFW-specific temporary chain (ufw-caps-test...), indicating automated configuration rather than malicious firewall disabling.",
  "iocs_extracted": [
    "/usr/sbin/xtables-nft-multi",
    "/usr/sbin/iptables -F ufw-caps-test3f_1fjz0",
    "root"
  ],
  "mitre_techniques": [
    "T1562.004"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (majority)",
    "Verify UFW service status is healthy",
    "Monitor for unexpected firewall rule changes outside of UFW management",
    "No immediate containment required"
  ],
  "risk_score": 15,
  "severity": "high",
  "summary": "**Vote: MAJORITY (1/1 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udde0 dgx-122b Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe event depicts a legitimate UFW firewall management process flushing a temporary test chain. Historical analysis confirms a 100% false positive rate for this specific binary and command pattern.\n\n**IOC Analysis:** The binary /usr/sbin/xtables-nft-multi is a standard Linux system utility located in a trusted directory. The command line targets a UFW-specific temporary chain (ufw-caps-test...), indicating automated configuration rather than malicious firewall disabling.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 deepseek-r1:14b Analysis (Secondary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 gemma3:4b Analysis (Secondary)\nFailed or timed out.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "majority",
    "total_models": 1,
    "vote_summary": [
      "dgx-122b: false_positive (low, 95% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "dgx-122b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "false_positive"
  }
}