AN0410: Analytic 0410
Detection of firewall ACL or rule base changes through CLI (e.g., no access-list, permit any any). Monitor configuration commits from unusual users or sessions.
Analyst context for executives and security teams
This analytic matters because firewall rule changes can immediately alter business exposure: a single overly broad ACL change can open sensitive services, disrupt segmentation, or weaken audit commitments. The supplied ATT&CK object focuses on detecting firewall ACL or rule base changes made through CLI, especially risky patterns such as removing access lists or permitting broad access, and on reviewing commits from unusual users or sessions.
Executive priority
Security leaders should treat network device change visibility as a resilience and governance issue, not only a SOC alerting issue. The key decision is whether the organization can prove who changed firewall policy, from where, when, and whether the change was authorized. This supports incident response scoping, compliance evidence, segmentation assurance, and prioritization of controls around privileged network administration.
Technical view
For SOC, detection engineering, and IR teams, validate that firewall and network device administration activity is logged with enough detail to identify CLI-based configuration changes, rule base commits, user identity, session source, timestamp, and changed ACL content. Because ATT&CK provides no separate detection logic and no related techniques or tactics for this object, local engineering should focus on high-risk configuration deltas and anomalous administrative context rather than assuming a predefined ATT&CK query exists.
Likely telemetry
- Network device configuration change logs
- Firewall commit or rule base audit logs
- CLI command history where available
- Privileged administrator authentication logs
- Remote administration session metadata such as source address, time, and user
Detection direction
- Alert or review firewall ACL changes that remove access controls or introduce overly broad permissions, while avoiding exposure of operational command details beyond what is needed for defense.
- Correlate configuration commits with approved change tickets, maintenance windows, and expected administrator accounts.
- Prioritize unusual users, unusual session sources, and changes outside normal administrative patterns.
- Tune for legitimate emergency changes and routine maintenance to reduce false positives.
- Validate blind spots: devices not forwarding logs, CLI actions not captured, shared admin accounts, missing commit metadata, and lack of historical configuration baselines.
Mitigation priorities
- Ensure centralized collection and retention of firewall configuration and administration logs.
- Use named administrator accounts and privileged access controls for network device management.
- Require change approval and post-change review for firewall ACL and rule base modifications.
- Maintain configuration backups or baselines so responders can compare intended versus actual policy.
- Limit administrative access paths to approved management networks and monitor those sessions.
Analyst notes and limits
This take is based only on the supplied ATT&CK analytic AN0410. The object is a detection analytic for Network Devices and describes monitoring CLI-driven firewall ACL or rule base changes, including commits from unusual users or sessions. No tactics, relationships, aliases, or separate official detection logic were supplied.
ATT&CK does not provide implementation-specific detection logic, supported firewall products, event IDs, relationship context, or evidence of active exploitation for this object. Local device capabilities, logging configuration, identity practices, and change-management data are required to determine actual coverage and alert fidelity.
Analytic 0410
Detection of firewall ACL or rule base changes through CLI (e.g., no access-list, permit any any). Monitor configuration commits from unusual users or sessions.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 31b25e768091… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0410Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.