Azure Firewall Policy Deletion
Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers to their objective.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade
11defenses and/or to eliminate barriers to their objective.
12"""
13false_positives = [
14 """
15 Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname,
16 and/or resource name should be making changes in your environment. Firewall policy deletions by unfamiliar users or
17 hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
18 """,
19]
20from = "now-25m"
21index = ["filebeat-*", "logs-azure*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Azure Firewall Policy Deletion"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating Azure Firewall Policy Deletion
31
32Azure Firewall policies are crucial for managing and enforcing network security rules across Azure environments. Adversaries may target these policies to disable security measures, facilitating unauthorized access or data exfiltration. The detection rule monitors Azure activity logs for successful deletion operations of firewall policies, signaling potential defense evasion attempts by identifying specific operation names and outcomes.
33
34### Possible investigation steps
35
36- Review the Azure activity logs to confirm the deletion event by filtering for the operation name "MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and ensuring the event outcome is "Success".
37- Identify the user or service principal responsible for the deletion by examining the 'caller' field in the activity logs.
38- Check the timestamp of the deletion event to determine when the policy was deleted and correlate it with other security events or alerts around the same time.
39- Investigate the context of the deletion by reviewing any related activities performed by the same user or service principal, such as modifications to other security settings or unusual login patterns.
40- Assess the impact of the deletion by identifying which resources or networks were protected by the deleted firewall policy and evaluating the potential exposure or risk introduced by its removal.
41- Contact the responsible user or team to verify if the deletion was authorized and part of a planned change or if it was unexpected and potentially malicious.
42
43### False positive analysis
44
45- Routine maintenance or updates by authorized personnel can trigger the deletion event. Ensure that such activities are logged and verified by cross-referencing with change management records.
46- Automated scripts or tools used for infrastructure management might delete and recreate firewall policies as part of their operation. Identify these scripts and exclude their activity from alerts by using specific identifiers or tags.
47- Test environments often undergo frequent changes, including policy deletions. Consider excluding activity from known test environments by filtering based on resource group or subscription IDs.
48- Scheduled policy updates or rotations might involve temporary deletions. Document these schedules and adjust monitoring rules to account for these expected changes.
49- Ensure that any third-party integrations or services with permissions to modify firewall policies are accounted for, and their actions are reviewed and whitelisted if necessary.
50
51### Response and remediation
52
53- Immediately isolate the affected Azure resources to prevent further unauthorized access or data exfiltration. This can be done by applying restrictive network security group (NSG) rules or using Azure Security Center to quarantine resources.
54- Review Azure activity logs to identify the user or service principal responsible for the deletion. Verify if the action was authorized and investigate any suspicious accounts or credentials.
55- Restore the deleted firewall policy from backups or recreate it using predefined templates to ensure that network security rules are reinstated promptly.
56- Implement conditional access policies to enforce multi-factor authentication (MFA) for all users with permissions to modify or delete firewall policies, reducing the risk of unauthorized changes.
57- Escalate the incident to the security operations team for further investigation and to determine if additional resources or systems have been compromised.
58- Conduct a post-incident review to identify gaps in security controls and update incident response plans to address similar threats in the future.
59- Enhance monitoring by configuring alerts for any future attempts to delete or modify critical security policies, ensuring rapid detection and response to potential threats.
60
61## Setup
62
63The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"]
65risk_score = 21
66rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969"
67severity = "low"
68tags = [
69 "Domain: Cloud",
70 "Data Source: Azure",
71 "Use Case: Network Security Monitoring",
72 "Tactic: Defense Evasion",
73 "Resources: Investigation Guide",
74]
75timestamp_override = "event.ingested"
76type = "query"
77
78query = '''
79event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success)
80'''
81
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1562"
87name = "Impair Defenses"
88reference = "https://attack.mitre.org/techniques/T1562/"
89[[rule.threat.technique.subtechnique]]
90id = "T1562.001"
91name = "Disable or Modify Tools"
92reference = "https://attack.mitre.org/techniques/T1562/001/"
93
94
95
96[rule.threat.tactic]
97id = "TA0005"
98name = "Defense Evasion"
99reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Azure Firewall Policy Deletion
Azure Firewall policies are crucial for managing and enforcing network security rules across Azure environments. Adversaries may target these policies to disable security measures, facilitating unauthorized access or data exfiltration. The detection rule monitors Azure activity logs for successful deletion operations of firewall policies, signaling potential defense evasion attempts by identifying specific operation names and outcomes.
Possible investigation steps
- Review the Azure activity logs to confirm the deletion event by filtering for the operation name "MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and ensuring the event outcome is "Success".
- Identify the user or service principal responsible for the deletion by examining the 'caller' field in the activity logs.
- Check the timestamp of the deletion event to determine when the policy was deleted and correlate it with other security events or alerts around the same time.
- Investigate the context of the deletion by reviewing any related activities performed by the same user or service principal, such as modifications to other security settings or unusual login patterns.
- Assess the impact of the deletion by identifying which resources or networks were protected by the deleted firewall policy and evaluating the potential exposure or risk introduced by its removal.
- Contact the responsible user or team to verify if the deletion was authorized and part of a planned change or if it was unexpected and potentially malicious.
False positive analysis
- Routine maintenance or updates by authorized personnel can trigger the deletion event. Ensure that such activities are logged and verified by cross-referencing with change management records.
- Automated scripts or tools used for infrastructure management might delete and recreate firewall policies as part of their operation. Identify these scripts and exclude their activity from alerts by using specific identifiers or tags.
- Test environments often undergo frequent changes, including policy deletions. Consider excluding activity from known test environments by filtering based on resource group or subscription IDs.
- Scheduled policy updates or rotations might involve temporary deletions. Document these schedules and adjust monitoring rules to account for these expected changes.
- Ensure that any third-party integrations or services with permissions to modify firewall policies are accounted for, and their actions are reviewed and whitelisted if necessary.
Response and remediation
- Immediately isolate the affected Azure resources to prevent further unauthorized access or data exfiltration. This can be done by applying restrictive network security group (NSG) rules or using Azure Security Center to quarantine resources.
- Review Azure activity logs to identify the user or service principal responsible for the deletion. Verify if the action was authorized and investigate any suspicious accounts or credentials.
- Restore the deleted firewall policy from backups or recreate it using predefined templates to ensure that network security rules are reinstated promptly.
- Implement conditional access policies to enforce multi-factor authentication (MFA) for all users with permissions to modify or delete firewall policies, reducing the risk of unauthorized changes.
- Escalate the incident to the security operations team for further investigation and to determine if additional resources or systems have been compromised.
- Conduct a post-incident review to identify gaps in security controls and update incident response plans to address similar threats in the future.
- Enhance monitoring by configuring alerts for any future attempts to delete or modify critical security policies, ensuring rapid detection and response to potential threats.
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Frontdoor Web Application Firewall (WAF) Policy Deleted
- Azure Network Watcher Deletion
- AWS EC2 Network Access Control List Deletion
- AWS EC2 Security Group Configuration Change
- AWS WAF Access Control List Deletion