โ†

Case #597

service.NIX-Host_Based_Firewall_Disabled

high open false positive

๐Ÿท๏ธ Analyst Verdict Classification

๐Ÿค– AI Analysis

๐Ÿ”” Detections (1)

00326-NIX-Host_Based_Firewall_Disabled low
Rule: service.NIX-Host_Based_Firewall_Disabled
Hostname: fusionserver ยท Sensor: 04e68799-92b7-41...
Event Type: NEW_PROCESS
Confidence: 95% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
/usr/sbin/iptables -F ufw-before-logging-forward
FILE_PATH:
/usr/sbin/xtables-nft-multi
HASH:
a1610dd70bb5ab04180671280df65b0077b680b627c0b6c51480b327732a762d
PARENT:
{'COMMAND_LINE': '/usr/bin/python3 /usr/sbin/ufw enable', 'FILE_PATH': '/usr/bin/python3.12', 'HASH': '8295ee25cfdb239f3e165afceda7f46de73e2b606ff0e2e3d8623e3facd30acc', 'MEMORY_USAGE': 16281600, 'PARENT_PROCESS_ID': 114528, 'PROCESS_ID': 114529, 'THIS_ATOM': '48add28300d7fec91063c11e69ca0248', 'THREADS': 1, 'TIMESTAMP': 1774846535516, 'USER_ID': 0, 'USER_NAME': 'root'}
PARENT_PROCESS_ID:
114529
PROCESS_ID:
114625
USER_ID:
0
USER_NAME:
root
IOCs: /usr/sbin/xtables-nft-multi root /usr/sbin/iptables -F ufw-before-logging-forward
Analyst Declaration:
๐Ÿ“„ Raw Detection JSON 
{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00326-NIX-Host_Based_Firewall_Disabled",
  "detect": {
    "event": {
      "COMMAND_LINE": "/usr/sbin/iptables -F ufw-before-logging-forward",
      "FILE_PATH": "/usr/sbin/xtables-nft-multi",
      "HASH": "a1610dd70bb5ab04180671280df65b0077b680b627c0b6c51480b327732a762d",
      "PARENT": {
        "COMMAND_LINE": "/usr/bin/python3 /usr/sbin/ufw enable",
        "FILE_PATH": "/usr/bin/python3.12",
        "HASH": "8295ee25cfdb239f3e165afceda7f46de73e2b606ff0e2e3d8623e3facd30acc",
        "MEMORY_USAGE": 16281600,
        "PARENT_PROCESS_ID": 114528,
        "PROCESS_ID": 114529,
        "THIS_ATOM": "48add28300d7fec91063c11e69ca0248",
        "THREADS": 1,
        "TIMESTAMP": 1774846535516,
        "USER_ID": 0,
        "USER_NAME": "root"
      },
      "PARENT_PROCESS_ID": 114529,
      "PROCESS_ID": 114625,
      "USER_ID": 0,
      "USER_NAME": "root"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "41c0a131-4e32-4e42-8e28-ec52c2ba59f9",
      "event_time": 1774846539919,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "fusionserver",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.1.6",
      "latency": 1622,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "48add28300d7fec91063c11e69ca0248",
      "plat": 536870912,
      "sid": "04e68799-92b7-411a-9abf-293a59ff94df",
      "tags": [
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "7656ade05656d8c26835842769ca024c"
    }
  },
  "detect_id": "5124710e-dbf9-4049-bd2a-e42869ca024d",
  "detect_mtd": {
    "description": "Iptables, Firewalld, and UFW are builtin firewall implementations in Linux distributions. Adversaries may disable the firewall in order to bypass controls of network use.",
    "falsepositives": [
      "System Administrators may infrequently disable or stop the firewall to troubleshoot issues."
    ],
    "references": [
      "https://attack.mitre.org/techniques/T1562/004/",
      "https://threatpost.com/six-malicious-linux-shell-scripts-how-to-stop-them/168127/",
      "https://www.cyberciti.biz/faq/linux-howto-disable-remove-firewall/"
    ],
    "tags": [
      "attack.t1562",
      "attack.t1562.004"
    ]
  },
  "gen_time": 1774846541541,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/04e68799-92b7-411a-9abf-293a59ff94df/timeline?time=1774846539\u0026selected=7656ade05656d8c26835842769ca024c",
  "namespace": "general",
  "priority": 2,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "41c0a131-4e32-4e42-8e28-ec52c2ba59f9",
    "event_time": 1774846539919,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "fusionserver",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.1.6",
    "latency": 1622,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "48add28300d7fec91063c11e69ca0248",
    "plat": 536870912,
    "sid": "04e68799-92b7-411a-9abf-293a59ff94df",
    "tags": [
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "7656ade05656d8c26835842769ca024c"
  },
  "rule_tags": [
    "attack.t1562.004",
    "attack.t1562",
    "ext:soteria-rules-edr"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.04e68799-92b7-411a-9abf-293a59ff94df.20000000.2",
  "source_rule": "service.NIX-Host_Based_Firewall_Disabled",
  "ts": 1774846541000
}
๐ŸŒ Threat Intel JSON 
{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 11,
      "undetected": 65
    }
  }
}
๐Ÿค– Triage JSON 
{
  "_model_name": "dgx-122b",
  "_primary_summary": "### \ud83e\udde0 dgx-122b Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe process execution is part of the standard UFW firewall enablement workflow on Linux systems. The parent process confirms this is an authorized management operation rather than a malicious attempt to disable protections.\n\n**IOC Analysis:** The binary path /usr/sbin/xtables-nft-multi is a legitimate system location for iptables/nftables backends. The command line targets a specific UFW chain for flushing during configuration, which is expected behavior.",
  "confidence": 0.95,
  "false_positive_reason": "Legitimate UFW enablement process flushing specific chains; Historical data shows 8/8 previous matches were false positives.",
  "investigation_questions": [
    "Is this host part of a managed fleet where UFW is routinely enabled?",
    "Are there other indicators of compromise on this host?"
  ],
  "ioc_analysis": "The binary path /usr/sbin/xtables-nft-multi is a legitimate system location for iptables/nftables backends. The command line targets a specific UFW chain for flushing during configuration, which is expected behavior.",
  "iocs_extracted": [
    "/usr/sbin/xtables-nft-multi",
    "root",
    "/usr/sbin/iptables -F ufw-before-logging-forward"
  ],
  "mitre_techniques": [],
  "recommended_actions": [
    "Mark alert as false positive",
    "Verify UFW status is enabled on host"
  ],
  "risk_score": 10,
  "severity": "low",
  "summary": "The process execution is part of the standard UFW firewall enablement workflow on Linux systems. The parent process confirms this is an authorized management operation rather than a malicious attempt to disable protections.",
  "verdict": "false_positive"
}

โš™๏ธ Response Actions

Action Target Status Result
tag 04e68799-92b7-411a-9abf-293a59ff94df:fusionsoc-investigated failed 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/04e68799-92b7-411a-9abf-293a59ff94df/tags?tags=fusionsoc-investigated
recommended Verify UFW status on host executed General Activity Sweep: 0 events found
recommended Confirm no unauthorized firewall changes occurred executed General Activity Sweep: 0 events found
recommended Add rule to suppression list if consistent executed General Activity Sweep: 0 events found

๐Ÿ“ Add Note

๐Ÿ’ฌ Notes (5)

๐Ÿค– FusionSOC AI 2026-03-30T06:29
๐Ÿค– FusionSOC AI 2026-03-30T06:27
๐Ÿค– FusionSOC AI 2026-03-30T06:27
๐Ÿค– FusionSOC AI 2026-03-30T06:27
๐Ÿค– FusionSOC AI 2026-03-30T06:27

๐Ÿ“œ Timeline

2026-03-30T06:29:22
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ—ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ†’ FALSE POSITIVE) - dgx-122b: false_positive (low, 95% con...
2026-03-30T06:27:01
FusionSOC AI
Status changed: investigating โ†’ investigating
2026-03-30T06:27:01
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-30T06:27:01
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Add rule to suppression list if consistent **Sensor:** `04e68799-92b7-41...` **T...
2026-03-30T06:27:01
FusionSOC
Response action queued: recommended on Add rule to suppression list if consistent
2026-03-30T06:27:01
FusionSOC AI
Status changed: investigating โ†’ investigating
2026-03-30T06:27:01
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-30T06:27:01
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Confirm no unauthorized firewall changes occurred **Sensor:** `04e68799-92b7-41....
2026-03-30T06:27:01
FusionSOC
Response action queued: recommended on Confirm no unauthorized firewall changes occurred
2026-03-30T06:27:01
FusionSOC AI
Status changed: open โ†’ investigating
2026-03-30T06:27:01
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-30T06:27:01
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Verify UFW status on host **Sensor:** `04e68799-92b7-41...` **Time Window:** +/-...
2026-03-30T06:27:00
FusionSOC
Response action queued: recommended on Verify UFW status on host
2026-03-30T06:27:00
FusionSOC
Action tag โ†’ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/04e68799-92b7-411a-9abf-293a59ff94df/tags?tags=fusionsoc-investigated
2026-03-30T06:27:00
FusionSOC
Response action queued: tag on 04e68799-92b7-411a-9abf-293a59ff94df:fusionsoc-investigated
2026-03-30T06:27:00
FusionSOC AI
Detection 5124710e-dbf9-4049-bd2a-e42869ca024d triaged as false_positive (low severity, confidence: 95%)
2026-03-30T06:27:00
FusionSOC AI
Case created from detection: service.NIX-Host_Based_Firewall_Disabled