{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00326-NIX-Host_Based_Firewall_Disabled",
  "detect": {
    "event": {
      "COMMAND_LINE": "/usr/sbin/iptables -F ufw-caps-testb2jh026s",
      "FILE_PATH": "/usr/sbin/xtables-nft-multi",
      "HASH": "a1610dd70bb5ab04180671280df65b0077b680b627c0b6c51480b327732a762d",
      "PARENT_PROCESS_ID": 114459,
      "PROCESS_ID": 114464,
      "USER_ID": 0,
      "USER_NAME": "root"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "75aa2d89-51f6-48cd-85d9-3256ae004a34",
      "event_time": 1774846411550,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "fusionserver",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.1.6",
      "latency": 9568,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "plat": 536870912,
      "sid": "04e68799-92b7-411a-9abf-293a59ff94df",
      "tags": [
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "8443b15696dbab80702788eb69ca01cc"
    }
  },
  "detect_id": "ba26329d-c4fe-47e3-83f8-9fa469ca01d5",
  "detect_mtd": {
    "description": "Iptables, Firewalld, and UFW are builtin firewall implementations in Linux distributions. Adversaries may disable the firewall in order to bypass controls of network use.",
    "falsepositives": [
      "System Administrators may infrequently disable or stop the firewall to troubleshoot issues."
    ],
    "references": [
      "https://attack.mitre.org/techniques/T1562/004/",
      "https://threatpost.com/six-malicious-linux-shell-scripts-how-to-stop-them/168127/",
      "https://www.cyberciti.biz/faq/linux-howto-disable-remove-firewall/"
    ],
    "tags": [
      "attack.t1562",
      "attack.t1562.004"
    ]
  },
  "gen_time": 1774846421119,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/04e68799-92b7-411a-9abf-293a59ff94df/timeline?time=1774846411\u0026selected=8443b15696dbab80702788eb69ca01cc",
  "namespace": "general",
  "priority": 2,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "75aa2d89-51f6-48cd-85d9-3256ae004a34",
    "event_time": 1774846411550,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "fusionserver",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.1.6",
    "latency": 9568,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "plat": 536870912,
    "sid": "04e68799-92b7-411a-9abf-293a59ff94df",
    "tags": [
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "8443b15696dbab80702788eb69ca01cc"
  },
  "rule_tags": [
    "attack.t1562.004",
    "attack.t1562",
    "ext:soteria-rules-edr"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.04e68799-92b7-411a-9abf-293a59ff94df.20000000.2",
  "source_rule": "service.NIX-Host_Based_Firewall_Disabled",
  "ts": 1774846421000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 11,
      "undetected": 65
    }
  }
}

{
  "confidence": 0.933,
  "false_positive_reason": "Historical data indicates 4/4 previous reviews for this variant were false positives. Binary is a standard system utility in expected path.",
  "investigation_questions": [
    "Is this host managed by Ansible, Puppet, or similar tools?",
    "Was there a scheduled maintenance window during this event?"
  ],
  "ioc_analysis": "The binary xtables-nft-multi resides in the standard /usr/sbin/ system directory. The command flushes a specific UFW chain, consistent with automated configuration management rather than malicious activity.",
  "iocs_extracted": [
    "/usr/sbin/xtables-nft-multi",
    "a1610dd70bb5ab04180671280df65b0077b680b627c0b6c51480b327732a762d",
    "iptables -F ufw-caps-testb2jh026s"
  ],
  "mitre_techniques": [
    "T1562.004"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (unanimous)",
    "Confirm if host uses automated config management",
    "Review UFW logs for context",
    "Consider tuning rule to exclude known maintenance chains"
  ],
  "risk_score": 10,
  "severity": "high",
  "summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udde0 dgx-122b Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nLegitimate Linux firewall utility executing standard maintenance commands as root. Historical analytics show a 100% false positive rate for this specific process and user combination.\n\n**IOC Analysis:** The binary xtables-nft-multi resides in the standard /usr/sbin/ system directory. The command flushes a specific UFW chain, consistent with automated configuration management rather than malicious activity.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 deepseek-r1:14b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves a legitimate Linux firewall utility executing standard maintenance commands as root, which is not indicative of malicious activity.\n\n**IOC Analysis:** FILE_PATH /usr/sbin/xtables-nft-multi is a known legitimate binary used for managing firewalls on Linux systems. The command line indicates it\u0027s flushing iptables rules, which is part of normal system maintenance.\n\n---\n\n### \ud83e\udd16 gemma3:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection involves the execution of `xtables-nft-multi` by the `root` user, which is a legitimate Linux firewall utility. Historical analysis and automated investigations confirm a 100% false positive rate for this specific process and user combination, indicating it\u0027s likely performing standard maintenance tasks. The lack of suspicious activity in the surrounding timeframe further supports this conclusion.\n\n**IOC Analysis:** The `FILE_PATH` points to a standard Linux firewall utility. The `COMMAND_LINE` demonstrates a standard maintenance command (`iptables -F`). The hash matches a known, legitimate binary. The user is `root`, which is common for system maintenance tools.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "manual_review",
    "mode": "unanimous",
    "total_models": 3,
    "vote_summary": [
      "dgx-122b: false_positive (low, 95% confidence)",
      "deepseek-r1:14b +RAG: false_positive (low, 90% confidence)",
      "gemma3:4b +RAG: false_positive (low, 95% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "dgx-122b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "had_rag": true,
        "model": "deepseek-r1:14b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.95,
        "had_rag": true,
        "model": "gemma3:4b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 3,
    "winning_verdict": "false_positive"
  }
}