LoFP / firewall being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Techniques

• t1686
• t1686.001

Sample rules

Azure Firewall Modified or Deleted

• source: sigma
• technicques:
  • t1686
  • t1686.001

Description

Identifies when a firewall is created, modified, or deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE
  - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE