LoFP LoFP / rule collections (application, nat, and network) being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Techniques

Sample rules

Azure Firewall Rule Collection Modified or Deleted

Description

Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE
  - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE
  - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE
  - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE
  - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE
  - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE