firewall rule configuration being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

azure
sigma

Techniques

Sample rules

Azure Firewall Rule Configuration Modified or Deleted

source: sigma
technicques:

Description

Identifies when a Firewall Rule Configuration is Modified or Deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE
  - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE
  - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE
  - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE