Which SIEM platforms have a T1599 detection rule?

df00tech provides T1599 (Network Boundary Bridging) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Network Boundary Bridging (T1599)?

Detecting Network Boundary Bridging requires the following data sources: Microsoft Sentinel - CommonSecurityLog (CEF), Microsoft Sentinel - Syslog.

What severity and confidence is the T1599 detection?

The T1599 detection is rated high severity with medium confidence.

What are common false positives for T1599?

Common false positives for T1599 include: Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira); Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates; Security operations performing penetration test or red team exercises with pre-authorized network changes.

T1599: Network Boundary Bridging — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let SuspiciousKeywords = dynamic(["permit ip any any", "no access-list", "access-group removed", "nat bypass", "ip route 0.0.0.0", "no ip access-group", "access-list extended permit", "shutdown", "policy deleted", "rule removed", "bypass", "clear access-list", "no firewall"]);
let NetworkVendors = dynamic(["Cisco", "Palo Alto Networks", "Fortinet", "Check Point", "Juniper Networks", "SonicWall", "WatchGuard", "F5", "Barracuda"]);
CommonSecurityLog
| where DeviceVendor in~ (NetworkVendors)
| where Activity has_any ("ACL-change", "config-change", "policy-change", "route-change", "nat-change", "firewall-change", "configuration")
    or Message has_any (SuspiciousKeywords)
| where DeviceAction !in~ ("deny", "blocked", "drop", "reject")
| extend ChangeType = case(
    Message has_any ("access-list", "ACL", "access-group"), "ACL_Modification",
    Message has_any ("nat", "NAT", "overload"), "NAT_Rule_Change",
    Message has_any ("ip route", "route add", "static route", "gateway"), "Route_Modification",
    Message has_any ("policy", "rule", "filter"), "Policy_Change",
    Message has_any ("shutdown", "no shutdown", "interface"), "Interface_Change",
    "Other"
)
| extend RiskScore = case(
    Message has "permit ip any any", 100,
    Message has "no access-list", 95,
    Message has "nat bypass", 95,
    Message has "ip route 0.0.0.0", 90,
    Message has "access-group removed", 85,
    Message has "clear access-list", 80,
    Message has "policy deleted", 75,
    70
)
| where RiskScore >= 75
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAddress, ChangeType, RiskScore, Activity, Message, SourceUserName, SourceIP, Computer
| order by RiskScore desc, TimeGenerated desc

Detects unauthorized or suspicious configuration changes on perimeter network devices by querying CommonSecurityLog for CEF-formatted events from firewalls and routers. Focuses on ACL deletions or permit-any rules, NAT bypass entries, static route additions to isolated segments, and policy removals — all of which could allow prohibited traffic to cross trust boundaries. Risk-scored to surface highest-severity changes first.

high severity medium confidence

Data Sources

Microsoft Sentinel - CommonSecurityLog (CEF) Microsoft Sentinel - Syslog

Required Tables

CommonSecurityLog

False Positives

Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
Security operations performing penetration test or red team exercises with pre-authorized network changes
Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs

Splunk

spl

index=network (sourcetype=syslog OR sourcetype=cisco:ios OR sourcetype=cisco:asa OR sourcetype=pan:log OR sourcetype=juniper:junos)
| search ("access-list" OR "acl" OR "permit ip any" OR "no access-group" OR "nat" OR "ip route" OR "static-route" OR "firewall rule" OR "policy" OR "config" OR "shutdown")
| search NOT ("Deny" OR "denied" OR "blocked" OR "drop" OR "reject")
| rex field=_raw "(?i)%(?P<facility>[A-Z0-9_-]+)-(?P<severity>[0-7])-(?P<mnemonic>[A-Z0-9_]+):"
| rex field=_raw "(?i)(?P<change_keyword>access-list|access-group|nat overload|ip route|policy|firewall rule|no shutdown|shutdown)"
| eval risk_score=case(
    like(lower(_raw), "%permit ip any any%"), 100,
    like(lower(_raw), "%no access-list%"), 95,
    like(lower(_raw), "%nat bypass%"), 95,
    like(lower(_raw), "%ip route 0.0.0.0%"), 90,
    like(lower(_raw), "%access-group removed%"), 85,
    like(lower(_raw), "%clear access-list%"), 80,
    like(lower(_raw), "%policy deleted%"), 80,
    like(lower(_raw), "%rule removed%"), 75,
    1=1, 40
)
| where risk_score >= 75
| eval change_summary=coalesce(change_keyword, "unknown")
| stats count as change_count, max(risk_score) as max_risk, values(change_summary) as change_types, first(_raw) as sample_log, list(_time) as change_times by host, src_ip, user
| eval time_span_seconds=mvindex(change_times, -1) - mvindex(change_times, 0)
| where max_risk >= 75
| sort - max_risk
| table host, src_ip, user, change_types, max_risk, change_count, time_span_seconds, sample_log

Detects suspicious network boundary manipulation events sourced from syslog of network devices including Cisco IOS/ASA, Juniper JunOS, and Palo Alto firewalls. Looks for ACL modifications, permit-any rules, NAT bypasses, and static route additions using risk scoring. Aggregates multiple changes per source host/IP to surface adversaries making rapid sequential configuration changes.

high severity medium confidence

Data Sources

Syslog from network devices Cisco IOS/ASA syslog Palo Alto syslog Juniper JunOS syslog

Required Sourcetypes

syslog cisco:ios cisco:asa pan:log juniper:junos

False Positives

Network operations center (NOC) engineers applying approved firewall rule changes during maintenance windows
Automated configuration management tools (Ansible, Puppet, Chef) applying network policy changes as part of IaC workflows
Firewall audits and compliance scans that trigger read/change events in network device logs
Disaster recovery failover events that automatically reconfigure routing to alternate paths

Elastic Security (EQL)

eql

// T1599 — Network Boundary Bridging
any where event.dataset : "network_traffic.firewall"
  and event.action in ("config_change", "rule_modified", "policy_deleted")
  and message : (
    "permit ip any any", "no access-list", "nat bypass",
    "ip route 0.0.0.0", "no ip access-group", "rule removed",
    "policy deleted", "clear access-list"
  )

Elastic EQL detection for Network Boundary Bridging (T1599). Translates the Microsoft Sentinel KQL logic to Elastic Common Schema (ECS) field mappings for use in Elastic SIEM. Targets the same behavioral indicators across process creation, network, and authentication event types.

high severity medium confidence

Data Sources

Network Traffic Firewall Logs

Required Tables

logs-network_traffic.* logs-endpoint.events.network-*

False Positives

Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
Security operations performing penetration test or red team exercises with pre-authorized network changes
Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("deviceaction") ILIKE '%config change%' AND (LOWER("message") ILIKE '%permit ip any any%' OR LOWER("message") ILIKE '%no access-list%' OR LOWER("message") ILIKE '%nat bypass%') THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("deviceaction") ILIKE '%config change%' AND (LOWER("message") ILIKE '%permit ip any any%' OR LOWER("message") ILIKE '%no access-list%' OR LOWER("message") ILIKE '%nat bypass%'))
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

QRadar AQL detection for Network Boundary Bridging (T1599). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.

high severity medium confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
Security operations performing penetration test or red team exercises with pre-authorized network changes
Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs

Sumo Logic CSE

sql

_sourceCategory=*firewall* OR _sourceCategory=*network*
| json auto
| where !(src_ip matches "10.*") and !(src_ip matches "192.168.*")
| count by src_ip, dest_ip, dest_port
| sort by _count desc

Sumo Logic detection for Network Boundary Bridging (T1599). Uses _sourceCategory path filtering for flexible log routing compatibility, with JSON field extraction and statistical aggregation to surface network boundary bridging patterns. Designed for the Sumo Logic Cloud SIEM platform.

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

network/firewall security/network

False Positives

Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
Security operations performing penetration test or red team exercises with pre-authorized network changes
Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs

Google Chronicle / SecOps

yaral

rule t1599_network_boundary_bridging {
  meta:
    author = "df00tech"
    description = "Detects Network Boundary Bridging (T1599)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1599"
    confidence = "medium"
    severity = "high"
  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.principal.ip != ""
  condition:
    $e
}

Google Chronicle YARA-L 2.0 detection rule for Network Boundary Bridging (T1599). Uses Unified Data Model (UDM) event field mappings to detect the same behavioral patterns as the KQL rule, with Chronicle's temporal matching and entity correlation capabilities.

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

NETWORK_CONNECTION NETWORK_FLOW

False Positives

Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
Security operations performing penetration test or red team exercises with pre-authorized network changes
Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["NetworkConnectIP4", "NetworkConnectIP6"]
| not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| groupBy([RemoteAddressIP4], function=count(as=TotalConns))
| TotalConns > 100
| TechniqueLabel := "T1599 - Reconnaissance"
| table([@timestamp, RemoteAddressIP4, TotalConns, TechniqueLabel])

CrowdStrike LogScale (Falcon) CQL detection for Network Boundary Bridging (T1599). Uses CrowdStrike event simpleName taxonomy with regex-based field filtering, groupBy aggregation, and case-based risk classification. Designed for the Falcon platform's LogScale query language.

high severity medium confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

NetworkConnectIP4 ProcessRollup2

False Positives

Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
Security operations performing penetration test or red team exercises with pre-authorized network changes
Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs

Network Boundary Bridging

What is T1599 Network Boundary Bridging?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1599

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (1)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1599 Network Boundary Bridging?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1599

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (1)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox