security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Azure Firewall Policy Deletion (#169)

Browse Source 
* Create defense_evasion_firewall_policy_deletion.toml

* Update rules/azure/defense_evasion_firewall_policy_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
This commit is contained in:
Brent Murphy
2020-09-04 09:28:58 -04:00
committed by GitHub
parent 9025a7d183
commit 0ac7f3d672
1 changed files with 49 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/azure/defense_evasion_firewall_policy_deletion.toml
+49
View File
@@ -0,0 +1,49 @@
[metadata]
creation_date = "2020/08/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/18"
[rule]
author = ["Elastic"]
description = """
Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade
defenses and/or to eliminate barriers in carrying out their initiative.
"""
false_positives = [
"""
Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname,
and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users
or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-25m"
index = ["filebeat-*"]
language = "kuery"
license = "Elastic License"
name = "Azure Firewall Policy Deletion"
note = "The Azure Filebeat module must be enabled to use this rule."
references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"]
risk_score = 21
rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969"
severity = "low"
tags = ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Network"]
type = "query"
query = '''
event.module:azure and event.dataset:azure.activitylogs and event.category:Administrative and azure.activitylogs.operation_name:MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:Success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1089"
name = "Disabling Security Tools"
reference = "https://attack.mitre.org/techniques/T1089/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"