From 0ac7f3d67224bf2dbd6f6d2dd2310fb61e6d4f37 Mon Sep 17 00:00:00 2001 From: Brent Murphy <56412096+bm11100@users.noreply.github.com> Date: Fri, 4 Sep 2020 09:28:58 -0400 Subject: [PATCH] [New Rule] Azure Firewall Policy Deletion (#169) * Create defense_evasion_firewall_policy_deletion.toml * Update rules/azure/defense_evasion_firewall_policy_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...ense_evasion_firewall_policy_deletion.toml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 rules/azure/defense_evasion_firewall_policy_deletion.toml diff --git a/rules/azure/defense_evasion_firewall_policy_deletion.toml b/rules/azure/defense_evasion_firewall_policy_deletion.toml new file mode 100644 index 000000000..ada6c1751 --- /dev/null +++ b/rules/azure/defense_evasion_firewall_policy_deletion.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2020/08/18" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/08/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade +defenses and/or to eliminate barriers in carrying out their initiative. +""" +false_positives = [ + """ + Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, + and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users + or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-25m" +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Azure Firewall Policy Deletion" +note = "The Azure Filebeat module must be enabled to use this rule." +references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"] +risk_score = 21 +rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969" +severity = "low" +tags = ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Network"] +type = "query" + +query = ''' +event.module:azure and event.dataset:azure.activitylogs and event.category:Administrative and azure.activitylogs.operation_name:MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:Success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"