LoFP LoFP / T1562

T1562

TitleTags
a dlp policy may be removed by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a domain transfer lock may be intentionally disabled by an authorized administrator to prepare for a planned domain migration or registrar change. confirm that the action aligns with an approved change request. you may exempt known administrative accounts involved in routine domain operations to reduce noise.
a elasticache security group deletion may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a elasticache security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a malware filter policy may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a malware filter rule may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a safe attachment rule may be disabled by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
a security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a transport rule may be modified by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
administrators legitimately enabling external sharing for a new collaboration site or project.
administrators may legitimately add security group rules to allow traffic from any ip address or from specific ip addresses to common remote access ports.
administrators may legitimately enable serial console access during troubleshooting of instances with boot issues, network misconfigurations, or ssh access problems. verify whether the user identity, user agent, and/or source ip should be making changes in your environment. serial console access enablement by unfamiliar users or from unexpected locations should be investigated. if this is expected behavior for troubleshooting, it can be exempted from the rule, but ensure serial console access is disabled after troubleshooting is complete.
administrators may temporarily disabled bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts.
an anti-phishing policy may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
an anti-phishing rule may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
applications can be added and removed from blocklists by google workspace administrators, but they can all be explicitly allowed for users. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
authorized administrators may delete web acls as part of planned migrations, infrastructure refactoring, or automation-driven redeployments. ensure the deletion aligns with approved change requests, maintenance windows, or known iac workflows. deletions performed by unfamiliar users, unusual identities, or unexpected automation should be investigated.
authorized administrators may temporarily stop the aws config recorder during planned maintenance, account restructuring, or controlled configuration changes. automated infrastructure or compliance tooling may also stop and restart the recorder as part of setup or teardown workflows. activity outside of documented change windows or from unexpected identities should be investigated.
authorized administrators or automated workflows may purge sqs queues for legitimate operational reasons, such as clearing stale messages, resetting test environments, or performing approved maintenance. verify that the action aligns with documented procedures and expected operational behavior.
authorized softwareupdate settings changes
azure front web application firewall (waf) policy deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. azure front web application firewall (waf) policy deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
bucket configurations may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. bucket configuration deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
bucket logging may be disabled by a system or network administrator. verify whether the user identity and/or user agent should be making changes in your environment. bucket component deletions by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
cloudwatch alarm deletions can occur legitimately during scheduled maintenance, infrastructure redeployments, or automation workflows that clean up temporary monitoring configurations. verify that the user identity, role, and ip address are expected for the environment. if deletions are performed by ci/cd pipelines or authorized administrators during controlled operations, consider adding exceptions based on specific iam roles, automation accounts, or ip address ranges.
cloudwatch log group deletions may occur during normal maintenance or infrastructure re-deployments, especially in environments managed by iac tools (e.g., terraform, cloudformation, cdk). automation pipelines may recreate log groups as part of expected workflows. verify that the identity, user agent, and source ip match approved administrative or automation activity. if deletions are routine for specific automation roles or ci/cd hosts, consider adding scoped exceptions.
cloudwatch log streams may be deleted legitimately during log rotation processes, test environment resets, or infrastructure deployments that recreate log groups and streams. validate the identity, automation pipeline, and ip address associated with the deletion. if deletions are expected from specific ci/cd systems or administrative roles, consider adding targeted exceptions.
cluster operators and gitops automation may legitimately install or upgrade admission controllers (e.g. cert-manager, gatekeeper, kyverno, service mesh components). validate change tickets and approved controllers before tuning.
consider adding exceptions to this rule to filter false positives if okta mfa rules are regularly deactivated in your organization.
consider adding exceptions to this rule to filter false positives if okta policies are regularly deleted in your organization.
consider adding exceptions to this rule to filter false positives if oyour organization's okta network zones are regularly deleted.
custom applications may be allowed by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
deletion of a resource group may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. resource group deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
deletion of aws config resources may occur during legitimate account restructuring, environment teardown, or changes to compliance tooling. centralized security teams or approved automation may also delete and recreate config components as part of controlled workflows. confirm that the action aligns with approved change management and was performed by an expected principal.
deletion of diagnostic settings may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. diagnostic settings deletion from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
disabling a dkim configuration may be done by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
disabling safe links may be done by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
event hub deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. event hub deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
eventbridge rules may be disabled or deleted during legitimate maintenance, refactoring, environment teardown, or migration to new event patterns/targets. verify whether the initiating identity, user agent, and source host are expected to administer eventbridge and whether the change aligns with an approved change window or deployment.
events deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. events deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall policy deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. firewall policy deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
firewall rules may be created by system administrators. verify that the firewall configuration change was expected. exceptions can be added to this rule to filter expected behavior.
firewall rules may be deleted by system administrators. verify that the firewall configuration change was expected. exceptions can be added to this rule to filter expected behavior.
firewall rules may be modified by system administrators. verify that the firewall configuration change was expected. exceptions can be added to this rule to filter expected behavior.
guardduty member relationships may be modified during legitimate organizational changes such as account migrations, security architecture restructuring, or delegated administrator transitions. verify whether the user identity and timing align with approved change management processes. if this is expected administrative activity, it can be exempted from the rule.
host windows firewall planned system administration changes.
if the behavior of deactivating okta policies is expected, consider adding exceptions to this rule to filter false positives.
legitimate administrators may add lifecycle expiration configurations to reduce storage costs or enforce retention policies. confirm whether this change aligns with an approved data management policy or infrastructure-as-code workflow. known lifecycle automation processes (e.g., cost-management tools, data-lifecycle governance jobs) can be safely excluded from alerting once verified.
legitimate allowlisting of noisy accounts
legitimate causes such as system maintenance, server shutdowns, or temporary network outages may trigger this alert.
legitimate windows defender configuration changes
logging bucket deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. logging bucket deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
logging sink deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. logging sink deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
logging sink modifications may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. sink modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
migration or onboarding projects that temporarily require external sharing to be enabled.
misconfiguration, system reboot, network issues or expected uninstall of the elastic defend agent.
network acl's may be created by a network administrator. verify whether the user identity should be making changes in your environment. network acl creations by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network acl's may be deleted by a network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. network acl deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network watcher deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. network watcher deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
organizational policy changes that intentionally broaden sharing capabilities across sites.
planned windows defender configuration changes.
query log configuration deletions may occur during legitimate networking changes, logging pipeline updates, or infrastructure redesign. confirm the activity aligns with expected operations before taking action.
routine waf maintenance, rule lifecycle updates, or temporary rule removals during application changes may trigger this alert. validate whether the principal, source ip, automation role, or deployment pipeline is expected to modify waf rules. confirm that the deletion corresponds to a documented change or deployment before taking action.
security, platform, and encryption teams legitimately update kms key policies during onboarding, key rotation, or cross-account access design. review the policy document diff, ticketing, and whether new principals are in-org.
subscription deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. subscription deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
suppression rules can be created legitimately by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. suppression rules created by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
suspending the recording of a trail may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail suspensions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
teams external access may be enabled by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
the guardduty detector may be deleted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. detector deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
there is no known legitimate reason for padding policies with white spaces to the extent it would take to trigger cloudtrail's logging constraints. any instance of this should be investigated.
there is usually no reason to remove modules, but some buggy modules require it. these can be exempted by username. note that some linux distributions are not built to support the removal of modules at all.
topic deletions may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. topic deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail creations may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail deletions may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail updates may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail updates from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trusted domains may be added by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
virtual private cloud networks may be deleted by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
virtual private cloud routes may be created by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
virtual private cloud routes may be deleted by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
windows firewall can be disabled by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. windows profile being disabled by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.