LoFP LoFP / network security configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Azure Network Security Configuration Modified or Deleted

Description

Identifies when a network security configuration is modified or deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE
  - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE
  - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE
  - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE
  - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION
  - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE