LoFP / device or device configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

• t1485
• t1565
• t1565.001

Sample rules

Azure Device or Configuration Modified or Deleted

• source: sigma
• technicques:
  • t1485
  • t1565
  • t1565.001

Description

Identifies when a device or device configuration in azure is modified or deleted.

Detection logic

condition: selection
selection:
  properties.message:
  - Delete device
  - Delete device configuration
  - Update device
  - Update device configuration