Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0855: Analytic 0855

Defender observes configuration changes on firewall/network appliance involving rule creation, modification, or deletion from abnormal management IPs or non-console channels (e.g., remote CLI, API). These are often correlated with a spike in previously blocked outbound traffic, unexpected allow-all rules, or bulk rule deletions. Behavior often follows unauthorized login, privilege escalation, or API abuse.

EnterpriseAN0855AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because firewall and network appliance rule changes can directly alter what traffic is allowed into, out of, or across the business. The supplied ATT&CK description focuses on abnormal management sources or non-console channels such as remote CLI or API, especially when followed by outbound traffic that was previously blocked, unexpected broad allow rules, or bulk deletions. For leaders, the decision point is whether network control-plane changes are visible, attributable, reviewed, and tied to incident response workflows quickly enough to prevent a configuration change from becoming an outage, data exposure, or loss of segmentation.

Executive priority

Prioritize this as a network resilience and governance control validation. Ask whether firewall and appliance changes are logged centrally, whether authorized management IPs and channels are defined, whether emergency or API-based changes are distinguishable from abuse, and whether SOC/IR teams can correlate configuration changes with traffic changes. This is also useful audit evidence for change management, privileged access oversight, and segmentation control assurance.

Technical view

Validate monitoring for Network Devices around rule creation, modification, and deletion events. Focus on changes originating from abnormal management IPs, remote CLI, API, or other non-console paths, then correlate with traffic behavior such as spikes in previously blocked outbound connections, unexpected allow-all rules, or bulk rule deletions. Because no ATT&CK detection text or relationships were supplied beyond the analytic description, detection engineering should treat this as a behavior pattern requiring local baselines for approved administrators, management networks, change windows, and expected automation accounts.

Likely telemetry

  • Firewall and network appliance configuration change logs
  • Rule creation, modification, and deletion audit events
  • Management-plane access logs, including source IP and channel where available
  • Remote CLI and API activity logs for network devices
  • Allowed and blocked traffic logs before and after configuration changes

Detection direction

  • Baseline approved management IP ranges, administrative channels, automation accounts, and normal change windows for each network device class.
  • Alert on rule creation, modification, or deletion from abnormal management IPs or non-console channels when not tied to an approved change.
  • Correlate suspicious rule changes with traffic shifts, especially previously blocked outbound traffic becoming allowed, unexpected broad allow rules, or bulk rule deletions.
  • Tune for legitimate automation, emergency changes, and scheduled maintenance to reduce false positives while preserving review of high-risk changes.
  • Validate that logs include enough detail to identify actor, source, channel, target device, rule changed, and before/after policy state.

Mitigation priorities

  • Define and enforce authorized management paths for network devices, including approved management IPs and administrative channels.
  • Require privileged change accountability through named accounts, change records, and reviewable approvals where operationally feasible.
  • Restrict and monitor API and remote CLI access to network appliances, especially for rule-management functions.
  • Implement independent review or alerting for broad allow rules, bulk deletions, and changes affecting outbound egress controls or segmentation boundaries.
  • Ensure SOC and incident response playbooks include rapid validation and rollback procedures for unauthorized or high-risk network policy changes.
Analyst notes and limits

The supplied object is an ATT&CK detection analytic for Network Devices with no tactic specified and no relationship context. The practical value is in validating control-plane visibility and correlation between firewall rule changes and traffic outcomes. This should be adapted to the organization’s network architecture, approved management model, and change process.

Official detection content was not provided, and no related techniques, tactics, mitigations, data sources, or threat actors were supplied. This take does not assert active exploitation, attribution, or existing detection coverage. Local telemetry quality and device logging capabilities will determine achievable detection fidelity.

Official MITRE ATT&CK definition

Analytic 0855

Defender observes configuration changes on firewall/network appliance involving rule creation, modification, or deletion from abnormal management IPs or non-console channels (e.g., remote CLI, API). These are often correlated with a spike in previously blocked outbound traffic, unexpected allow-all rules, or bulk rule deletions. Behavior often follows unauthorized login, privilege escalation, or API abuse.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
946203b40a8f4683...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 946203b40a8f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0855
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use