LoFP
/
t1562.007
t1562.007
Title
Tags
firewall policy being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
t1562
t1562.007
azure
sigma
firewall policy modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
t1562.007
azure
sigma
it's possible that a user has legitimately deleted a network acl.
t1562
t1562.007
aws instance
instance
splunk
it's possible that an admin has created this acl with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.
t1562
t1562.007
aws instance
splunk
network admin may modify this firewall feature that may cause this rule to be triggered.
t1562
t1562.007
endpoint
splunk
unless it is a special case, it is uncommon to continually update trusted ips to mfa configuration.
t1562
t1562.007
o365 tenant
splunk