Update and rename azure_device_or_configuration_deleted.yml to azure_device_or_configuration_modified_or_deleted.yml
This commit is contained in:
Austin Songer
+7
-5
@@ -1,7 +1,7 @@
|
||||
title: Azure Device or Configuration Deleted
|
||||
title: Azure Device or Configuration Modified or Deleted
|
||||
id: 46530378-f9db-4af9-a9e5-889c177d3881
|
||||
description: Identifies when a device or device configuration in azure is deleted.
|
||||
author: Austin Songer
|
||||
description: Identifies when a device or device configuration in azure is modified or deleted.
|
||||
author: Austin Songer @austinsonger
|
||||
status: experimental
|
||||
date: 2021/09/03
|
||||
references:
|
||||
@@ -13,11 +13,13 @@ detection:
|
||||
properties.message:
|
||||
- Delete device
|
||||
- Delete device configuration
|
||||
- Update device
|
||||
- Update device configuration
|
||||
condition: selection
|
||||
level: medium
|
||||
tags:
|
||||
- attack.impact
|
||||
falsepositives:
|
||||
- Device or device configuration being deleted may be performed by a system administrator.
|
||||
- Device or device configuration being modified or deleted may be performed by a system administrator.
|
||||
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
|
||||
- Device or device configuration deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
||||
- Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
||||
Reference in New Issue
Block a user