alert:
- debug
description: Detects netsh commands that turns off the Windows firewall
filter:
- query:
    query_string:
      query: data.win.eventdata.commandLine.keyword:(netsh\ firewall\ set\ opmode\ mode\=disable OR netsh\ advfirewall\ set\ *\ state\ off)
index: wazuh-alerts-3.x-*
name: 57c4bf16-227f-4394-8ec7-1b745ee061c3_0
priority: 3
realert:
  minutes: 0
type: any