This rule detects if there are no logs in the last 4 hours for Azure LB in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

This alert triggers when a target group has been deleted. A load balancer serves as the single point of contact for clients. Target groups route requests to individual registered targets, such as Virtual machines, using the protocol and port number that you specify. You can register a target with multiple target groups. Impact If the target group is actively being used by your Azure LB to distribute traffic to your instances, deleting the target group will result in a disruption of service. Users may experience downtime or inability to access your application until a new target group is configured and associated with the Azure LB. Mitigation Verify if this was an authorized action. if not, investigate further and revert the changes. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert triggers whenever an LB Listener has been modified and the modified protocol is not TLS/HTTPS. An Azure LB listener is a process that checks for connection requests using the protocol and port that you configure. It is configured with a protocol and a port for front-end (client to load balancer) connections, and a protocol and a port for back-end (load balancer to back-end instance) connections. Impact Without an HTTPS listener, front-end connections are vulnerable to exploits, such as man-in-the-middle (MITM) attacks. Mitigation Review which protocols and ports have been added/subtracted. If the user making the changes wasn't authorized to do so, revert the changes. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert triggers whenever a load balancer listener has been deleted. An Azure LB listener is a process that checks for connection requests using the protocol and port that you configure. It is configured with a protocol and a port for front-end (client to load balancer) connections, and a protocol and a port for back-end (load balancer to back-end instance) connections. Impact The listener is responsible for receiving incoming requests on a specific port and protocol and routing them to the appropriate backend targets (e.g., Virtual Machines). Deleting a listener will result in a loss of traffic routing capabilities for that port and protocol. Mitigation Review the deleted listener and determine if the action was approved. Revert changes if the action wasn''t authorized and investigate further for any other impact. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert triggers whenever a load balancer has been created. A load balancer serves as the single point of contact for clients. The load balancer distributes incoming application traffic across multiple targets, such as Virtual machines, in multiple Availability Zones. This increases the availability of your application. Impact Creation of a new load balancer should be verified as it can greatly impact the network flow or route network traffic to an attacker-controlled environment. Mitigation Inspect the user who created the load balancer and verify if this was an authorized action. if not, investigate further and revert the changes. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert triggers whenever a load balancer has been deleted along with its attached listeners. A load balancer serves as the single point of contact for clients. The load balancer distributes incoming application traffic across multiple targets, such as Virtual machines, in multiple Availability Zones. This increases the availability of your application. Impact Load balancers are often used to achieve high availability by distributing traffic across multiple instances or availability zones. Deleting the load balancer can lead to a single point of failure, as incoming traffic will no longer be automatically redirected if an instance or availability zone becomes inaccessible. Mitigation Verify if this was an authorized action. if not, investigate further and revert the changes. MITRE Tactic: TA0005 MITRE Technique: T1578

In a multi-tiered architecture where security zones segregate components based on sensitivity and trust levels, a Load Balancer is employed to distribute traffic across these security zones. This use case involves strategically routing incoming requests to different zones based on security policies, enhancing overall security posture and mitigating potential risks associated with unauthorized access or attacks. Impact Network Segmentation: Efficient traffic distribution facilitates the segmentation of the network into security zones, preventing lateral movement of threats and limiting the potential impact of a security breach. Access Control: By directing traffic based on security zones, the Load Balancer helps enforce access control policies, ensuring that only authorized users or systems can interact with specific components. Attack Surface Reduction: The Load Balancer contributes to minimizing the attack surface by isolating critical components within designated security zones and controlling traffic flow accordingly. Mitigation Define Security Policies: Clearly define and implement security policies that dictate which security zones are accessible by specific types of traffic or users. Use Network Security Groups (NSG): Leverage NSGs to restrict traffic between different security zones. Define rules that explicitly allow or deny communication based on source and destination IP addresses, ports, and protocols. SSL/TLS Encryption: Implement encryption protocols to secure traffic between the Load Balancer and backend servers, especially when crossing security boundaries. Mitre tactic: T1046 Mitre technique: T1505