virtual network device being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

azure
sigma

Techniques

Sample rules

Azure Virtual Network Device Modified or Deleted

source: sigma
technicques:

Description

Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE
  - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE
  - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE
  - MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION
  - MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE
  - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE
  - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE
  - MICROSOFT.NETWORK/VIRTUALHUBS/DELETE
  - MICROSOFT.NETWORK/VIRTUALHUBS/WRITE
  - MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE
  - MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE