T1599 Network Boundary Bridging Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousKeywords = dynamic(["permit ip any any", "no access-list", "access-group removed", "nat bypass", "ip route 0.0.0.0", "no ip access-group", "access-list extended permit", "shutdown", "policy deleted", "rule removed", "bypass", "clear access-list", "no firewall"]);
let NetworkVendors = dynamic(["Cisco", "Palo Alto Networks", "Fortinet", "Check Point", "Juniper Networks", "SonicWall", "WatchGuard", "F5", "Barracuda"]);
CommonSecurityLog
| where DeviceVendor in~ (NetworkVendors)
| where Activity has_any ("ACL-change", "config-change", "policy-change", "route-change", "nat-change", "firewall-change", "configuration")
    or Message has_any (SuspiciousKeywords)
| where DeviceAction !in~ ("deny", "blocked", "drop", "reject")
| extend ChangeType = case(
    Message has_any ("access-list", "ACL", "access-group"), "ACL_Modification",
    Message has_any ("nat", "NAT", "overload"), "NAT_Rule_Change",
    Message has_any ("ip route", "route add", "static route", "gateway"), "Route_Modification",
    Message has_any ("policy", "rule", "filter"), "Policy_Change",
    Message has_any ("shutdown", "no shutdown", "interface"), "Interface_Change",
    "Other"
)
| extend RiskScore = case(
    Message has "permit ip any any", 100,
    Message has "no access-list", 95,
    Message has "nat bypass", 95,
    Message has "ip route 0.0.0.0", 90,
    Message has "access-group removed", 85,
    Message has "clear access-list", 80,
    Message has "policy deleted", 75,
    70
)
| where RiskScore >= 75
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAddress, ChangeType, RiskScore, Activity, Message, SourceUserName, SourceIP, Computer
| order by RiskScore desc, TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Sentinel - CommonSecurityLog (CEF) Microsoft Sentinel - Syslog

Required Tables

CommonSecurityLog

False Positives

Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
Security operations performing penetration test or red team exercises with pre-authorized network changes
Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs

Splunk

spl

index=network (sourcetype=syslog OR sourcetype=cisco:ios OR sourcetype=cisco:asa OR sourcetype=pan:log OR sourcetype=juniper:junos)
| search ("access-list" OR "acl" OR "permit ip any" OR "no access-group" OR "nat" OR "ip route" OR "static-route" OR "firewall rule" OR "policy" OR "config" OR "shutdown")
| search NOT ("Deny" OR "denied" OR "blocked" OR "drop" OR "reject")
| rex field=_raw "(?i)%(?P<facility>[A-Z0-9_-]+)-(?P<severity>[0-7])-(?P<mnemonic>[A-Z0-9_]+):"
| rex field=_raw "(?i)(?P<change_keyword>access-list|access-group|nat overload|ip route|policy|firewall rule|no shutdown|shutdown)"
| eval risk_score=case(
    like(lower(_raw), "%permit ip any any%"), 100,
    like(lower(_raw), "%no access-list%"), 95,
    like(lower(_raw), "%nat bypass%"), 95,
    like(lower(_raw), "%ip route 0.0.0.0%"), 90,
    like(lower(_raw), "%access-group removed%"), 85,
    like(lower(_raw), "%clear access-list%"), 80,
    like(lower(_raw), "%policy deleted%"), 80,
    like(lower(_raw), "%rule removed%"), 75,
    1=1, 40
)
| where risk_score >= 75
| eval change_summary=coalesce(change_keyword, "unknown")
| stats count as change_count, max(risk_score) as max_risk, values(change_summary) as change_types, first(_raw) as sample_log, list(_time) as change_times by host, src_ip, user
| eval time_span_seconds=mvindex(change_times, -1) - mvindex(change_times, 0)
| where max_risk >= 75
| sort - max_risk
| table host, src_ip, user, change_types, max_risk, change_count, time_span_seconds, sample_log

high severity medium confidence

Data Sources

Syslog from network devices Cisco IOS/ASA syslog Palo Alto syslog Juniper JunOS syslog

Required Sourcetypes

syslog cisco:ios cisco:asa pan:log juniper:junos

False Positives

Network operations center (NOC) engineers applying approved firewall rule changes during maintenance windows
Automated configuration management tools (Ansible, Puppet, Chef) applying network policy changes as part of IaC workflows
Firewall audits and compliance scans that trigger read/change events in network device logs
Disaster recovery failover events that automatically reconfigure routing to alternate paths

Elastic Security (EQL)

eql

// T1599 — Network Boundary Bridging
any where event.dataset : "network_traffic.firewall"
  and event.action in ("config_change", "rule_modified", "policy_deleted")
  and message : (
    "permit ip any any", "no access-list", "nat bypass",
    "ip route 0.0.0.0", "no ip access-group", "rule removed",
    "policy deleted", "clear access-list"
  )

high severity medium confidence

Data Sources

Network Traffic Firewall Logs

Required Tables

logs-network_traffic.* logs-endpoint.events.network-*

False Positives

Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
Security operations performing penetration test or red team exercises with pre-authorized network changes
Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("deviceaction") ILIKE '%config change%' AND (LOWER("message") ILIKE '%permit ip any any%' OR LOWER("message") ILIKE '%no access-list%' OR LOWER("message") ILIKE '%nat bypass%') THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("deviceaction") ILIKE '%config change%' AND (LOWER("message") ILIKE '%permit ip any any%' OR LOWER("message") ILIKE '%no access-list%' OR LOWER("message") ILIKE '%nat bypass%'))
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

high severity medium confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
Security operations performing penetration test or red team exercises with pre-authorized network changes
Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs

Sumo Logic CSE

sql

_sourceCategory=*firewall* OR _sourceCategory=*network*
| json auto
| where !(src_ip matches "10.*") and !(src_ip matches "192.168.*")
| count by src_ip, dest_ip, dest_port
| sort by _count desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

network/firewall security/network

False Positives

Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
Security operations performing penetration test or red team exercises with pre-authorized network changes
Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs

Google Chronicle / SecOps

yaral

rule t1599_network_boundary_bridging {
  meta:
    author = "df00tech"
    description = "Detects Network Boundary Bridging (T1599)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1599"
    confidence = "medium"
    severity = "high"
  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.principal.ip != ""
  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

NETWORK_CONNECTION NETWORK_FLOW

False Positives

Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
Security operations performing penetration test or red team exercises with pre-authorized network changes
Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["NetworkConnectIP4", "NetworkConnectIP6"]
| not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| groupBy([RemoteAddressIP4], function=count(as=TotalConns))
| TotalConns > 100
| TechniqueLabel := "T1599 - Reconnaissance"
| table([@timestamp, RemoteAddressIP4, TotalConns, TechniqueLabel])

high severity medium confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

NetworkConnectIP4 ProcessRollup2

False Positives

Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
Security operations performing penetration test or red team exercises with pre-authorized network changes
Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs

Network Boundary Bridging

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (1)

Same Tactic: Defense Evasion

Popular Detections