LoFP / application security group modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Azure Application Security Group Modified or Deleted

• source: sigma
• technicques:

Description

Identifies when a application security group is modified or deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE
  - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE