Rules: Excessive Outbound Firewall Blocks Description Observes for a firewall blocking a large amount traffic from a single host in a short period of time. This may be indicative of C2 traffic Additional Details Detail Value Type Threshold Category Unknown/Other Apply Risk to Entities srcDevice_hostname, srcDevice_ip Signal Name Excessive Outbound Firewall Blocks Summary Expression Firewall blocked traffic from IP: {{srcDevice_ip}} at a high rate within a 5 minute window Threshold Count 500 Threshold Window 5m Score/Severity Static: 1 Enabled by Default True Prototype False Tags _mitreAttackTactic:TA0007, _mitreAttackTechnique:T1046 Vendors and Products Amazon AWS - Network Firewall Amazon AWS - VpcFlowLogs CheckPoint - Application Control CheckPoint - Firewall and VPN CheckPoint - SmartDefense Cisco Systems - ASA Cisco Systems - Meraki Fortinet - Fortigate Juniper - SRX Series Firewall Microsoft - Azure Palo Alto Networks - Next Generation Firewall Sophos - UTM 9 Fields Used Origin Field Normalized Schema dstDevice_ip_isInternal Normalized Schema dstPort Normalized Schema listMatches Normalized Schema objectType Normalized Schema srcDevice_hostname Normalized Schema srcDevice_ip Normalized Schema srcDevice_ip_isInternal Normalized Schema success