LoFP / firewall being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Techniques

• t1562
• t1562.004

Sample rules

Azure Firewall Modified or Deleted

• source: sigma
• technicques:
  • t1562
  • t1562.004

Description

Identifies when a firewall is created, modified, or deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE
  - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE