Rules Contributing to Suspicious Azure Firewall Activity Alert
The following rules are used to identify suspicious Azure firewall activity. Any one or more of these will trigger the Suspicious Azure Firewall Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Azure Firewall Rule Configuration Modified or Deleted |
Identifies when a Firewall Rule Configuration is Modified or Deleted. More details
Rule IDQuery{'selection': {'operationName': ['MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE', 'MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE', 'MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE', 'MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,2a7d64cf-81fa-4daf-ab1b-ab80b789c067 Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Azure Firewall Rule Collection Modified or Deleted |
Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted. More details
Rule IDQuery{'selection': {'operationName': ['MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE', 'MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE', 'MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE', 'MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE', 'MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE', 'MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,025c9fe7-db72-49f9-af0d-31341dd7dd57 Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Azure Firewall Modified or Deleted |
Identifies when a firewall is created, modified, or deleted. More details
Rule IDQuery{'selection': {'operationName': ['MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE', 'MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,512cf937-ea9b-4332-939c-4c2c94baadcd Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresDEFENSE_EVASION, IMPACT, T1562.007 ReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Azure Network Firewall Policy Modified or Deleted |
Identifies when a Firewall Policy is Modified or Deleted. More details
Rule IDQuery{'selection': {'operationName': ['MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE', 'MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION', 'MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION', 'MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,83c17918-746e-4bd9-920b-8e098bf88c23 Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|