โ
Case #599
service.NIX-Host_Based_Firewall_Disabled
๐ท๏ธ Analyst Verdict Classification
๐ค AI Analysis
๐ Detections (1)
00326-NIX-Host_Based_Firewall_Disabled
low
Rule: service.NIX-Host_Based_Firewall_Disabled
Hostname: fusionserver ยท Sensor: 04e68799-92b7-41...
Event Type: NEW_PROCESS
Confidence: 98% ยท Verdict: false positive
Event Data:
COMMAND_LINE:
/usr/sbin/iptables -F ufw-logging-deny
FILE_PATH:
/usr/sbin/xtables-nft-multi
HASH:
a1610dd70bb5ab04180671280df65b0077b680b627c0b6c51480b327732a762d
PARENT:
{'COMMAND_LINE': '/usr/bin/python3 /usr/sbin/ufw enable', 'FILE_PATH': '/usr/bin/python3.12', 'HASH': '8295ee25cfdb239f3e165afceda7f46de73e2b606ff0e2e3d8623e3facd30acc', 'MEMORY_USAGE': 16281600, 'PARENT_PROCESS_ID': 114528, 'PROCESS_ID': 114529, 'THIS_ATOM': '48add28300d7fec91063c11e69ca0248', 'THREADS': 1, 'TIMESTAMP': 1774846535516, 'USER_ID': 0, 'USER_NAME': 'root'}
PARENT_PROCESS_ID:
114529
PROCESS_ID:
114647
USER_ID:
0
USER_NAME:
root
IOCs:
/usr/sbin/xtables-nft-multi
/usr/sbin/iptables -F ufw-logging-deny
a1610dd70bb5ab04180671280df65b0077b680b627c0b6c51480b327732a762d
MITRE:
T1562.004
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
"cat": "00326-NIX-Host_Based_Firewall_Disabled",
"detect": {
"event": {
"COMMAND_LINE": "/usr/sbin/iptables -F ufw-logging-deny",
"FILE_PATH": "/usr/sbin/xtables-nft-multi",
"HASH": "a1610dd70bb5ab04180671280df65b0077b680b627c0b6c51480b327732a762d",
"PARENT": {
"COMMAND_LINE": "/usr/bin/python3 /usr/sbin/ufw enable",
"FILE_PATH": "/usr/bin/python3.12",
"HASH": "8295ee25cfdb239f3e165afceda7f46de73e2b606ff0e2e3d8623e3facd30acc",
"MEMORY_USAGE": 16281600,
"PARENT_PROCESS_ID": 114528,
"PROCESS_ID": 114529,
"THIS_ATOM": "48add28300d7fec91063c11e69ca0248",
"THREADS": 1,
"TIMESTAMP": 1774846535516,
"USER_ID": 0,
"USER_NAME": "root"
},
"PARENT_PROCESS_ID": 114529,
"PROCESS_ID": 114647,
"USER_ID": 0,
"USER_NAME": "root"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "fcc93cbb-d104-4438-9606-a7c28c97c992",
"event_time": 1774846540013,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "fusionserver",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.1.6",
"latency": 1514,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "48add28300d7fec91063c11e69ca0248",
"plat": 536870912,
"sid": "04e68799-92b7-411a-9abf-293a59ff94df",
"tags": [
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "145c36dfc375ef801b91b2fb69ca024c"
}
},
"detect_id": "27ab1d6d-54c4-4d24-8e0b-b55969ca024d",
"detect_mtd": {
"description": "Iptables, Firewalld, and UFW are builtin firewall implementations in Linux distributions. Adversaries may disable the firewall in order to bypass controls of network use.",
"falsepositives": [
"System Administrators may infrequently disable or stop the firewall to troubleshoot issues."
],
"references": [
"https://attack.mitre.org/techniques/T1562/004/",
"https://threatpost.com/six-malicious-linux-shell-scripts-how-to-stop-them/168127/",
"https://www.cyberciti.biz/faq/linux-howto-disable-remove-firewall/"
],
"tags": [
"attack.t1562",
"attack.t1562.004"
]
},
"gen_time": 1774846541527,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/04e68799-92b7-411a-9abf-293a59ff94df/timeline?time=1774846540\u0026selected=145c36dfc375ef801b91b2fb69ca024c",
"namespace": "general",
"priority": 2,
"routing": {
"arch": 2,
"did": "",
"event_id": "fcc93cbb-d104-4438-9606-a7c28c97c992",
"event_time": 1774846540013,
"event_type": "NEW_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "fusionserver",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.1.6",
"latency": 1514,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "48add28300d7fec91063c11e69ca0248",
"plat": 536870912,
"sid": "04e68799-92b7-411a-9abf-293a59ff94df",
"tags": [
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "145c36dfc375ef801b91b2fb69ca024c"
},
"rule_tags": [
"attack.t1562.004",
"attack.t1562",
"ext:soteria-rules-edr"
],
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.04e68799-92b7-411a-9abf-293a59ff94df.20000000.2",
"source_rule": "service.NIX-Host_Based_Firewall_Disabled",
"ts": 1774846541000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 11,
"undetected": 65
}
}
}
๐ค Triage JSON
{
"_model_name": "dgx-122b",
"_primary_summary": "### \ud83e\udde0 dgx-122b Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.98\nThe process execution is part of legitimate UFW firewall management. The parent process \u0027ufw enable\u0027 correctly invokes xtables-nft-multi to configure firewall rules, specifically flushing the logging deny chain during initialization.\n\n**IOC Analysis:** The binary /usr/sbin/xtables-nft-multi is a standard Linux system utility located in the expected system path. The command line arguments are consistent with UFW enabling procedures, not malicious firewall disabling. Historical data confirms this pattern is consistently benign.",
"confidence": 0.98,
"false_positive_reason": "Legitimate system administration activity: UFW service enabling invokes iptables/nftables binaries to configure rules. Historical review data shows 100% false positive rate for this specific variant.",
"investigation_questions": [
"Was the UFW enablement action authorized by the system administrator?"
],
"ioc_analysis": "The binary /usr/sbin/xtables-nft-multi is a standard Linux system utility located in the expected system path. The command line arguments are consistent with UFW enabling procedures, not malicious firewall disabling. Historical data confirms this pattern is consistently benign.",
"iocs_extracted": [
"/usr/sbin/xtables-nft-multi",
"/usr/sbin/iptables -F ufw-logging-deny",
"a1610dd70bb5ab04180671280df65b0077b680b627c0b6c51480b327732a762d"
],
"mitre_techniques": [
"T1562.004"
],
"recommended_actions": [
"Mark alert as False Positive",
"Update detection rule to exclude UFW management parent processes",
"No further investigation required"
],
"risk_score": 10,
"severity": "low",
"summary": "The process execution is part of legitimate UFW firewall management. The parent process \u0027ufw enable\u0027 correctly invokes xtables-nft-multi to configure firewall rules, specifically flushing the logging deny chain during initialization.",
"verdict": "false_positive"
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/04e68799-92b7-411a-9abf-293a59ff94df/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (3)
๐ค FusionSOC AI
2026-03-30T06:40
๐ค FusionSOC AI
2026-03-30T06:38
๐ค FusionSOC AI
2026-03-30T06:38
๐ Timeline
2026-03-30T06:40:43
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (3/4 โ FALSE POSITIVE) - dgx-122b: true_positive (medium, 0% con...
2026-03-30T06:38:40
FusionSOC AI
Status changed: open โ investigating
2026-03-30T06:38:40
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-30T06:38:40
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `04e68799-92b7-41...` **Time Window:** +/- 2 ...
2026-03-30T06:38:40
FusionSOC
Response action queued: recommended on Manual review required
2026-03-30T06:38:40
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/04e68799-92b7-411a-9abf-293a59ff94df/tags?tags=fusionsoc-investigated
2026-03-30T06:38:39
FusionSOC
Response action queued: tag on 04e68799-92b7-411a-9abf-293a59ff94df:fusionsoc-investigated
2026-03-30T06:38:39
FusionSOC AI
Detection 27ab1d6d-54c4-4d24-8e0b-b55969ca024d triaged as true_positive (medium severity, confidence: 0%)
2026-03-30T06:38:39
FusionSOC AI
Case created from detection: service.NIX-Host_Based_Firewall_Disabled