From 09f49da8225a4f65a35dfe8dc159c58fe9ccf8ba Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 29 Sep 2021 12:08:09 -0500 Subject: [PATCH] [New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted (#1393) (cherry picked from commit d28c48f20f4cfbb6bab05c9af81091e1a186d8c8) --- ...on_frontdoor_firewall_policy_deletion.toml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml new file mode 100644 index 000000000..61a27b933 --- /dev/null +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2021/08/01" +maturity = "production" +updated_date = "2021/08/01" +integration = "azure" + +[rule] +author = ["Austin Songer"] +description = """ +Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall +(WAF) Policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative. +""" +false_positives = [ + """ + Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, + hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions from + unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-25m" +index = ["filebeat-*", "logs-azure*"] +language = "kuery" +license = "Elastic License v2" +name = "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted" +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking", +] +risk_score = 21 +rule_id = "09d028a5-dcde-409f-8ae0-557cef1b7082" +severity = "low" +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"