DC0053: Firewall Metadata
Contextual information about firewalls, including their configurations, policies, status, and other details such as names and associated rules. This metadata provides valuable insights into the operational state and configurations of firewalls, both in cloud control planes and host systems. Examples:
- Firewall Name and Configuration: The name, type, and purpose of a firewall such as "Azure Firewall - Production Environment." - Policy Details: Capturing firewall policy details, such as "Allow inbound TCP 443 to web servers." - Firewall Status: Status indicators like "Active," "Disabled," or "Pending Updates." - Audit Log Metadata: Log entries showing administrative changes, such as "Policy modified by admin@domain.com." - Rules Associated with Firewalls: Rules specifying source/destination IP ranges, protocols, and ports. - Tagging Information: Tags like "Environment: Production" or "Owner: NetworkOps."
This data component can be collected through the following measures:
Cloud Control Plane
- Azure: Use Azure Activity Logs and Network Watcher to collect metadata for Azure Firewall. - Example: `az network firewall show --name
Host-Based Firewalls
- Windows: Use PowerShell to gather metadata: `Get-NetFirewallRule -PolicyStore PersistentStore` - Linux: Query iptables or nftables rulesets: `iptables -S` - macOS: Use pfctl to extract metadata: `sudo pfctl -sr`
SIEM Integration
- Collect logs from cloud platforms, host systems, and network appliances.
API Monitoring
- Monitor API calls for metadata requests. Example (AWS): `Capture DescribeSecurityGroups or DescribeNetworkAcls` calls via CloudTrail.
Endpoint Detection and Response (EDR)
- Use EDR solutions to monitor firewall management tools for configuration changes or queries.
Analyst context for executives and security teams
Firewall Metadata matters because it shows whether network and host filtering controls are actually defined, enabled, owned, and changing as intended. For leaders, this is not just configuration inventory: it is evidence for whether production boundaries, cloud security groups, host firewall rules, and administrative changes can be validated during an incident, audit, or resilience review.
Executive priority
Prioritize this data component as a control-assurance and incident-readiness input. It helps answer business questions such as: which firewalls protect production systems, who changed a policy, whether a rule allows risky inbound access, and whether cloud or host firewalls are disabled or pending updates. It is especially useful for compliance evidence, cloud security governance, vulnerability exposure reviews, and IR scoping when teams must quickly determine what traffic should or should not have been allowed.
Technical view
SOC, cloud security, and IR teams should validate that firewall configuration metadata is collected from cloud control planes, host firewalls, and SIEM/API sources where applicable. The ATT&CK object lists examples including Azure Activity Logs and Network Watcher, AWS CloudTrail and describe commands, Google Cloud firewall rule listings, Windows PowerShell firewall rules, Linux iptables or nftables rulesets, macOS pfctl output, network appliance logs, and EDR monitoring of firewall management tools. Because no official detection logic or ATT&CK relationships are supplied, this component should be treated as an evidence source for configuration state and administrative change visibility rather than a standalone detection analytic.
Likely telemetry
- Cloud control plane activity logs for firewall and security group configuration metadata
- API audit events for firewall metadata queries or changes, such as security group or network ACL describe activity where available
- Firewall names, types, purposes, tags, owners, and environment labels
- Firewall policy and rule details including source and destination ranges, protocols, ports, and allow/deny intent
- Firewall status indicators such as active, disabled, or pending updates
Detection direction
- Confirm that metadata collection covers both cloud control planes and host-based firewalls in the environments that matter most to the business.
- Correlate firewall rule changes with administrative identity, change tickets, asset ownership, and production tags to reduce false positives and improve triage value.
- Validate visibility into disabled firewalls, permissive rules, unexpected inbound exposure, and changes to production-tagged resources.
- Tune alerts around high-risk changes rather than every metadata read, since legitimate administration and inventory tooling can generate frequent queries.
- Check for blind spots where SIEM ingestion captures traffic logs but not firewall configuration, policy status, tags, or administrative change metadata.
Mitigation priorities
- Establish authoritative inventory for cloud, host, and appliance firewalls, including ownership and environment tags.
- Centralize collection of firewall configuration, policy, status, and administrative change metadata into a SIEM or equivalent evidence store.
- Require change control and identity attribution for firewall policy modifications, especially for production resources.
- Review rules for excessive exposure, disabled protections, missing owners, or stale policies as part of cloud security and vulnerability management workflows.
- Retain metadata and audit history long enough to support incident response, compliance evidence, and post-change review.
Analyst notes and limits
The supplied ATT&CK object is a data component, not a technique. Its value is in confirming whether defenders can observe firewall configuration state and related administrative metadata across cloud control planes, host systems, network appliances, SIEM integrations, API monitoring, and EDR-supported management activity.
No official detection text, tactics, platforms, or relationship context were supplied. Environment-specific scope, log availability, retention, and control ownership must be validated locally before making coverage or risk claims.
Firewall Metadata
Contextual information about firewalls, including their configurations, policies, status, and other details such as names and associated rules. This metadata provides valuable insights into the operational state and configurations of firewalls, both in cloud control planes and host systems. Examples:
- Firewall Name and Configuration: The name, type, and purpose of a firewall such as "Azure Firewall - Production Environment." - Policy Details: Capturing firewall policy details, such as "Allow inbound TCP 443 to web servers." - Firewall Status: Status indicators like "Active," "Disabled," or "Pending Updates." - Audit Log Metadata: Log entries showing administrative changes, such as "Policy modified by admin@domain.com." - Rules Associated with Firewalls: Rules specifying source/destination IP ranges, protocols, and ports. - Tagging Information: Tags like "Environment: Production" or "Owner: NetworkOps."
This data component can be collected through the following measures:
Cloud Control Plane
- Azure: Use Azure Activity Logs and Network Watcher to collect metadata for Azure Firewall. - Example: `az network firewall show --name
Host-Based Firewalls
- Windows: Use PowerShell to gather metadata: `Get-NetFirewallRule -PolicyStore PersistentStore` - Linux: Query iptables or nftables rulesets: `iptables -S` - macOS: Use pfctl to extract metadata: `sudo pfctl -sr`
SIEM Integration
- Collect logs from cloud platforms, host systems, and network appliances.
API Monitoring
- Monitor API calls for metadata requests. Example (AWS): `Capture DescribeSecurityGroups or DescribeNetworkAcls` calls via CloudTrail.
Endpoint Detection and Response (EDR)
- Use EDR solutions to monitor firewall management tools for configuration changes or queries.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 5a2527d86b7e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0053Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.