LoFP LoFP / firewall policy being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Techniques

Sample rules

Azure Network Firewall Policy Modified or Deleted

Description

Identifies when a Firewall Policy is Modified or Deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE
  - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION
  - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION
  - MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE