virtual network device modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

azure
sigma

Techniques

Sample rules

Azure Virtual Network Device Modified or Deleted

source: sigma
technicques:

Description

Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE
  - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE
  - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE
  - MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION
  - MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE
  - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE
  - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE
  - MICROSOFT.NETWORK/VIRTUALHUBS/DELETE
  - MICROSOFT.NETWORK/VIRTUALHUBS/WRITE
  - MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE
  - MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE