LoFP LoFP / point-to-site vpn modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Azure Point-to-site VPN Modified or Deleted

Description

Identifies when a Point-to-site VPN is Modified or Deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE
  - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE
  - MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION
  - MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION
  - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION
  - MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE