Firewall Logs (Allow/Deny)
Location
Firewall management console or syslog server (vendor-specific: Palo Alto, Fortinet, pfSense, iptables)Description
Perimeter and internal firewall logs recording every permitted and denied connection attempt with source/destination IP, port, protocol, rule name, action, and byte count.
Forensic Value
Firewall deny logs reveal attacker reconnaissance -- repeated blocked connections to internal IPs on sequential ports indicate port scanning. Allowed connections to known-malicious IPs that were later added to threat feeds retroactively identify early compromise indicators. Outbound allow logs to unusual destination countries or non-standard ports (e.g., TCP 4444, 8888) expose C2 and exfiltration channels. Rule-name correlation shows which firewall policies the attacker exploited.
Tools Required
Collection Commands
Palo Alto CLI
show log traffic direction equal backward receive_time in last-24-hrs | match <suspicious-ip>
Splunk
index=firewall action=blocked OR action=denied earliest=-7d | stats count by src_ip, dest_ip, dest_port | sort -count | head 100
iptables
iptables -L -v -n --line-numbers > iptables_rules.txt && cat /var/log/kern.log | grep "iptables" > iptables_log.txt
MITRE ATT&CK Techniques
Used in Procedures
Network Isolation of Compromised Systems
contain
Log Preservation and Snapshot
preserve
Map Exfiltration Channels (HTTP, DNS, Cloud Sync)
analyze
Block Active Exfiltration Pathways
contain
Halt Ransomware Propagation
contain
Conduct Lessons Learned Review Session
post-incident
Post-Incident Configuration Hardening
eradicate
Review Ransomware Resilience and Backup Isolation Failures
post-incident
Related Blockers
No PCAP or NetFlow Data Available
There is no packet capture, NetFlow, or network metadata available for the timeframe of interest. Without network data it is difficult to confirm data exfiltration volumes, C2 channel details, or lateral movement paths.
Need Data from External Vendor or MSP
Critical evidence resides with a third-party managed service provider, SaaS vendor, or hosting company. Your team has no direct access and must navigate contractual, legal, and technical hurdles to obtain logs or images.
Legal Requesting Preservation Conflicts with Containment
Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.
Systems Encrypted by Ransomware -- Normal Artifact Collection Blocked
Ransomware has encrypted the filesystem on affected hosts. Standard artifact collection tools cannot read files, registry hives, or event logs from the encrypted volume. The operating system may not boot.
Shared Cloud Environment Complicates Isolation
The compromised workload runs in a multi-tenant cloud environment (shared subscription, Kubernetes cluster, or PaaS) where isolation actions may impact other tenants or business-critical services sharing the same infrastructure.
Backups May Be Compromised -- Cannot Trust for Recovery
Backup integrity is uncertain. The attacker may have been present in the environment long enough to have compromised backup copies, planted persistence mechanisms in backup images, or encrypted/deleted backup repositories.
Critical Logs Rotated/Overwritten Before Collection
Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.
SIEM Not Ingesting Relevant Log Sources
The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.
Attacker Used Timestomping, Log Clearing, or Other Anti-Forensics
Evidence of deliberate anti-forensic activity has been found: timestamps modified, event logs cleared, prefetch/shimcache wiped, or tools designed to defeat forensic analysis were executed. Standard timeline analysis may be unreliable.
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.