Overview

Windows Firewall logs allow you to monitor any dropped or successful connections by the firewall. The logs are saved locally under %root%\system32\LogFiles\Firewall\.
After the data is ingested, Hunters read the data from the shared bucket, parse it and allow the usage of this source to protect your network in a more comprehensive way and add it to the detection phase in the Hunters’ pipeline.

Supported Data Types

  • Windows Firewall Logs - see more details here.

Hunters Ingestion

In order to enable Hunters' collection & ingestion of Windows Firewall Logs for your account, the logs should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

Expected Format

Hunters except the data to be in a CSV without header format.
The fields should be: date, time, action, protocol, src_ip, dst_ip, src_port, dst_port, size, tcpflags, tcpsyn, tcppack, tcpwin, icmptype, icmpcode, info, path

Event Example:

2022-03-01 15:29:30 ALLOW TCP 10.0.0.1 10.0.0.2 1234 80 52 S 14835656767 0 64240 - - - RECEIVE
CODE