This alert detects when a user attempted to delete a Firewall policy that was locked to prevent deletion. Locks are an Azure feature to prevent the accidental deletion of resources. Impact An attempt to delete a Firewall policy should be inspected and validated if the action was legitimate as it could be an indication of an attacker attempting to delete legitimate resources. Mitigation Validate that the deletion attempt was authorized and intended, revert and further investigate if not. If this alert is followed by a successful deletion alert, pay close attention to the performing user and quickly validate it as it might mean an attacker has managed to disable or circumvent the lock. MITRE Tactic: TA0040 MITRE Technique: T1531

This alert detects when a user attempted to delete a Firewall that has been locked from deletion. Locks are an Azure feature to prevent the accidental deletion of resources. Impact An attempt to delete a Firewall should be inspected and validated if the action was legitimate as it could be an indication of an attacker attempting to delete legitimate resources. Mitigation Validate that the deletion attempt was authorized and intended, revert and further investigate if not. If this alert is followed by a successful deletion alert, pay close attention to the performing user and quickly validate it as it might mean an attacker has managed to disable or circumvent the lock. MITRE Tactic: TA0040 MITRE Technique: T1531

This alert detects when a Firewall policy was deleted. Impact An adversary may delete a firewall rule to impair network defenses, allow or deny access and create a business impact on the company environment. Mitigation Validate that the action was authorized and revert changes if not. Ensure the firewall and the network range are scoped properly. Ensure the user who deleted the rule has the correct privileges to delete a firewall rule. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 007

This alert detects when a Firewall policy was created or updated. Impact Custom firewall rules can be manipulated by attackers to have an entry point into various services in Azure. Mitigation Validate that the action was authorized and revert changes if not. Ensure the firewall and the network range are scoped properly. Ensure the user who created the rule has the correct privileges to create or modify a firewall rule. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 007

This alert detects when a Firewall was deleted. Impact An adversary may delete a firewall in order to impact the network operations and expose the relevant network to outside attacks. Mitigation Validate that the action was authorized and revert changes if not. Ensure the user who deleted the firewall has the correct privileges for the action. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 007

This alert detects when a Firewall was created or updated. Impact Changes to firewall configuration can be manipulated by attackers to have an entry point into various services in Azure. Mitigation Validate that the action was authorized and revert changes if not. Ensure the firewall and the network range are scoped properly. Ensure the user who created or modified the firewall has the correct privileges. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 007

This rule detects if there are no logs in the last 4 hours for Azure Firewall in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

The "Azure Firewall Policies Certificate Action" use case involves monitoring and recording actions related to certificate management within Azure Firewall policies. This includes activities such as certificate additions, modifications, or deletions within the firewall policies. The use case aims to provide visibility into certificate-related changes, ensuring the integrity of secure communication and compliance with organizational security policies. Impact Custom firewall Policies certificate rules can be manipulated by attackers to have an entry point into various services in Azure. Mitigation Validate that the action was authorized and revert changes if not. Ensure the firewall and the network range are scoped properly. Ensure the user who created the rule has the correct privileges to create or modify a firewall rule. MITRE Tactic: TA0005 MITRE Technique: T1562

The "Azure Firewall Configuration Changes" use case involves monitoring and recording modifications to the configuration settings of Azure Firewall within an Azure environment. This includes changes to rule sets, network rules, application rules, threat intelligence settings, and any other configuration parameters related to Azure Firewall. The use case aims to provide visibility into administrative actions and ensure the security and compliance of the network infrastructure. Impact Unauthorized or incorrect changes to Azure Firewall configurations can lead to deviations from the organization's security policies. This may result in misconfigured rules, exposing the network to security vulnerabilities or allowing unintended traffic. Improper configuration changes may disrupt network traffic, impacting the availability and performance of applications and services relying on Azure Firewall. This can lead to service outages or degraded network performance. Mitigation Validate that the action was authorized and revert changes if not. Ensure the firewall and the network range are scoped properly. Ensure the user who created or modified the firewall has the correct privileges. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 007