Overview
Table name: windows_firewall_logs
Windows Firewall logs allow you to monitor any dropped or successful connections by the firewall. The logs are saved locally in the directory %root%\system32\LogFiles\Firewall\.
Integrating this source into Hunters allows ingestion and parsing of the data, as well as leveraging the data to protect your network in a more comprehensive way and add it to the detection phase in the Hunters’ pipeline.
See more details here.
Send data to Hunters
To export your Windows Firewall Logs, follow the section "How to Generate the Log File" in this guide.
Once the data is collected, use an on premise shipping agent to ship the data to S3.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Hunters expect the data to be in a CSV format, without header and with a space delimeter.
The fields should be:
- date
- time
- action
- protocol
- src_ip
- dst_ip
- src_port
- dst_port
- size
- tcpflags
- tcpsyn
- tcppack
- tcpwin
- icmptype
- icmpcode
- info
- path
An example of an event is as follows:
2022-03-01 15:29:30 ALLOW TCP 10.0.0.1 10.0.0.2 1234 80 52 S 14835656767 0 64240 - - - RECEIVE