Detect Network Boundary Bridging in IBM QRadar
This detection identifies adversary activity consistent with MITRE ATT&CK T1599 (Network Boundary Bridging), where threat actors compromise perimeter network devices — routers, firewalls, or internal segmentation appliances — and reconfigure them to allow prohibited traffic to cross trust boundaries. Detection focuses on unauthorized ACL modifications, NAT rule changes, routing table manipulation, and firewall policy changes sourced from network device syslog and configuration audit trails ingested into SIEM. Because this technique targets network infrastructure rather than endpoints, primary telemetry comes from CommonSecurityLog (CEF-formatted device logs), Syslog, and network device AAA/TACACS+ audit streams. High-severity modifications include permit-any rules, deletion of blocking ACLs, addition of bypass NAT entries, and introduction of static routes to previously isolated segments.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1599 Network Boundary Bridging
- Canonical reference
- https://attack.mitre.org/techniques/T1599/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
LOGSOURCENAME(logsourceid) AS "LogSource",
LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
"username", "sourceip", "destinationip",
"eventid", "deviceaction", "message",
CASE
WHEN LOWER("deviceaction") ILIKE '%config change%' AND (LOWER("message") ILIKE '%permit ip any any%' OR LOWER("message") ILIKE '%no access-list%' OR LOWER("message") ILIKE '%nat bypass%') THEN 8
ELSE 4
END AS "RiskScore"
FROM events
WHERE (LOWER("deviceaction") ILIKE '%config change%' AND (LOWER("message") ILIKE '%permit ip any any%' OR LOWER("message") ILIKE '%no access-list%' OR LOWER("message") ILIKE '%nat bypass%'))
AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
ORDER BY "RiskScore" DESC, "EventTime" DESC
LAST 24 HOURSQRadar AQL detection for Network Boundary Bridging (T1599). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.
Data Sources
Required Tables
False Positives & Tuning
- Authorized network engineers performing scheduled maintenance during approved change windows — validate against change management system (ServiceNow/Jira)
- Automated network management tools (Cisco DNA Center, Ansible AWX, SolarWinds NCM) pushing approved configuration templates
- Security operations performing penetration test or red team exercises with pre-authorized network changes
- Firewall rule cleanup projects legitimately removing outdated ACL entries as part of hygiene programs
Other platforms for T1599
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add iptables rule to permit forwarding between network segments on Linux firewall
Expected signal: Syslog events showing iptables rule addition, kernel sysctl change in /proc/sys/net/ipv4/ip_forward, auditd records if audit rules on iptables binary, and Linux auth logs showing sudo elevation.
- Test 2Add static route to bridge isolated network segment on Linux router
Expected signal: Auditd records of 'ip route' command execution, kernel routing table modification in /proc/net/route, syslog if routing daemon is logging, and file modification event on /etc/network/routes.
- Test 3Flush iptables security rules to allow all inter-segment traffic
Expected signal: Syslog or auditd records capturing: (1) iptables -F FORWARD command execution with sudo, (2) iptables -P FORWARD ACCEPT policy change, (3) sysctl net.ipv4.ip_forward=1. If network device sends SNMP traps, a linkDown/warmStart trap may fire.
References (5)
Unlock Pro Content
Get the full detection package for T1599 including response playbook, investigation guide, and atomic red team tests.