T1562.007 Disable or Modify Cloud Firewall Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let CloudFirewallActions = dynamic(["AuthorizeSecurityGroupIngress", "AuthorizeSecurityGroupEgress", "RevokeSecurityGroupIngress", "RevokeSecurityGroupEgress", "CreateSecurityGroup", "DeleteSecurityGroup", "UpdateSecurityGroup", "microsoft.network/networksecuritygroups/write", "microsoft.network/networksecuritygroups/securityRules/write", "microsoft.network/networksecuritygroups/delete", "compute.firewalls.create", "compute.firewalls.delete", "compute.firewalls.update"]);
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any (CloudFirewallActions)
| extend SourceIP = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend IsOpenToAll = Result has "0.0.0.0/0" or Result has "::/0"
| project TimeGenerated, OperationName, Actor, SourceIP, TargetResources, Result, IsOpenToAll
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Modification Firewall: Firewall Rule Modification AWS CloudTrail Azure Activity Log GCP Audit Log

Required Tables

AuditLogs

False Positives

Cloud infrastructure teams deploying new services with appropriate security group configurations
Infrastructure-as-Code pipelines (Terraform, CloudFormation, ARM templates) that manage security groups during deployment
Auto-scaling events that create temporary security groups for new instances

Splunk

spl

(index=aws sourcetype=aws:cloudtrail eventName IN ("AuthorizeSecurityGroupIngress", "AuthorizeSecurityGroupEgress", "RevokeSecurityGroupIngress", "RevokeSecurityGroupEgress", "CreateSecurityGroup", "DeleteSecurityGroup"))
OR
(index=azure sourcetype="azure:audit" operationName="*networkSecurityGroups*")
OR
(index=gcp sourcetype="google:gcp:audit" methodName="*compute.firewalls*")
| eval IsOpenToAll=if(match(_raw, "0\.0\.0\.0/0|::/0"), "Yes", "No")
| eval CloudProvider=case(
    sourcetype=="aws:cloudtrail", "AWS",
    sourcetype=="azure:audit", "Azure",
    sourcetype=="google:gcp:audit", "GCP",
    true(), "Unknown")
| eval Actor=coalesce(userIdentity.arn, claims.upn, protoPayload.authenticationInfo.principalEmail)
| eval Action=coalesce(eventName, operationName, protoPayload.methodName)
| table _time, CloudProvider, Actor, Action, IsOpenToAll, sourceIPAddress, requestParameters
| sort - _time

high severity medium confidence

Data Sources

AWS CloudTrail Azure Audit Log GCP Audit Log

Required Sourcetypes

aws:cloudtrail azure:audit google:gcp:audit

False Positives

Cloud infrastructure teams deploying new services with appropriate security group configurations
Infrastructure-as-Code pipelines (Terraform, CloudFormation, ARM templates) that manage security groups during deployment
Auto-scaling events that create temporary security groups for new instances

Elastic Security (EQL)

eql

any where event.dataset in ("aws.cloudtrail", "azure.auditlogs", "gcp.audit") and (
  (event.dataset == "aws.cloudtrail" and event.action in (
    "AuthorizeSecurityGroupIngress", "AuthorizeSecurityGroupEgress",
    "RevokeSecurityGroupIngress", "RevokeSecurityGroupEgress",
    "CreateSecurityGroup", "DeleteSecurityGroup"
  )) or
  (event.dataset == "azure.auditlogs" and azure.auditlogs.operation_name : "*networkSecurityGroups*") or
  (event.dataset == "gcp.audit" and gcp.audit.method_name : "*compute.firewalls*")
)

high severity medium confidence

Data Sources

AWS CloudTrail (via Filebeat aws module) Azure Audit Logs (via Azure integration) GCP Audit Logs (via GCP integration)

Required Tables

logs-aws.cloudtrail-* logs-azure.auditlogs-* logs-gcp.audit-*

False Positives

Legitimate infrastructure-as-code deployments (Terraform, CloudFormation, Pulumi) that routinely create and modify security groups as part of CI/CD pipelines
Cloud security posture management (CSPM) tools such as Prisma Cloud or AWS Security Hub performing remediation actions
Authorized network engineers performing scheduled maintenance on firewall rules during approved change windows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  username AS actor,
  sourceip AS source_ip,
  QIDNAME(qid) AS event_name,
  "deviceEventCategory" AS event_category,
  "URL" AS raw_action,
  CASE
    WHEN "URL" ILIKE '%0.0.0.0/0%' OR "URL" ILIKE '%::/0%' THEN 'Yes'
    ELSE 'No'
  END AS open_to_all,
  CASE
    WHEN LOGSOURCETYPEID(logsourceid) = 347 THEN 'AWS'
    WHEN LOGSOURCETYPEID(logsourceid) = 433 THEN 'Azure'
    WHEN LOGSOURCETYPEID(logsourceid) = 459 THEN 'GCP'
    ELSE 'Unknown'
  END AS cloud_provider
FROM events
WHERE starttime > NOW() - 86400000
  AND (
    (LOGSOURCETYPEID(logsourceid) = 347
      AND "deviceEventCategory" IN (
        'AuthorizeSecurityGroupIngress', 'AuthorizeSecurityGroupEgress',
        'RevokeSecurityGroupIngress', 'RevokeSecurityGroupEgress',
        'CreateSecurityGroup', 'DeleteSecurityGroup'
      ))
    OR (LOGSOURCETYPEID(logsourceid) = 433
      AND ("deviceEventCategory" ILIKE '%networkSecurityGroups%'
           OR "URL" ILIKE '%networkSecurityGroups%'))
    OR (LOGSOURCETYPEID(logsourceid) = 459
      AND ("deviceEventCategory" ILIKE '%compute.firewalls%'
           OR "URL" ILIKE '%compute.firewalls%'))
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

AWS CloudTrail DSM (LOGSOURCETYPEID 347) Microsoft Azure Activity Logs DSM (LOGSOURCETYPEID 433) Google Cloud Audit Logs DSM (LOGSOURCETYPEID 459)

Required Tables

events

False Positives

Automated cloud governance platforms (AWS Config Rules, Azure Policy) that auto-remediate non-compliant security group configurations by modifying or recreating rules
DevOps tooling running in headless service accounts that dynamically provision and tear down security groups for ephemeral test environments
Cloud migration projects where large numbers of security groups are created or cloned in bulk during cutover windows

Sumo Logic CSE

sql

(_sourceCategory="aws/cloudtrail" AND (eventName="AuthorizeSecurityGroupIngress" OR eventName="AuthorizeSecurityGroupEgress" OR eventName="RevokeSecurityGroupIngress" OR eventName="RevokeSecurityGroupEgress" OR eventName="CreateSecurityGroup" OR eventName="DeleteSecurityGroup"))
OR (_sourceCategory="azure/audit" AND operationName matches "*networkSecurityGroups*")
OR (_sourceCategory="gcp/audit" AND methodName matches "*compute.firewalls*")
| if (!isNull(eventName), eventName, if(!isNull(operationName), operationName, methodName)) as action
| if (!isNull(userIdentity.arn), userIdentity.arn, if(!isNull(claims.upn), claims.upn, protoPayload.authenticationInfo.principalEmail)) as actor
| if (!isNull(sourceIPAddress), sourceIPAddress, callerSuppliedUserAgent) as source_ip
| if (!isNull(_sourceCategory) and _sourceCategory matches "aws/*", "AWS", if(_sourceCategory matches "azure/*", "Azure", if(_sourceCategory matches "gcp/*", "GCP", "Unknown"))) as cloud_provider
| if (queryRaw matches "*0.0.0.0/0*" or queryRaw matches "*::/0*", "Yes", "No") as open_to_all
| count by _messageTime, cloud_provider, actor, action, source_ip, open_to_all
| sort by _messageTime desc

high severity medium confidence

Data Sources

AWS CloudTrail (sourceCategory: aws/cloudtrail) Azure Audit Logs (sourceCategory: azure/audit) GCP Audit Logs (sourceCategory: gcp/audit)

Required Tables

AWS CloudTrail index Azure Audit Log index GCP Audit Log index

False Positives

Security automation runbooks (AWS Lambda, Azure Automation, GCP Cloud Functions) triggered by alerts that automatically modify security groups to isolate compromised resources
Routine infrastructure scaling events where auto-scaling groups create temporary security groups for new compute instances
Scheduled penetration test activities that provision and decommission test environments with intentionally permissive firewall rules under approved authorizations

Google Chronicle / SecOps

yaral

rule mitre_t1562_007_cloud_firewall_modification {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects modification, creation, or deletion of cloud firewall rules across AWS, Azure, and GCP that may indicate an adversary bypassing network access controls."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.007"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT"
    (
      (
        $e.metadata.vendor_name = "AMAZON"
        AND (
          $e.metadata.product_event_type = "AuthorizeSecurityGroupIngress"
          OR $e.metadata.product_event_type = "AuthorizeSecurityGroupEgress"
          OR $e.metadata.product_event_type = "RevokeSecurityGroupIngress"
          OR $e.metadata.product_event_type = "RevokeSecurityGroupEgress"
          OR $e.metadata.product_event_type = "CreateSecurityGroup"
          OR $e.metadata.product_event_type = "DeleteSecurityGroup"
        )
      )
      OR (
        $e.metadata.vendor_name = "MICROSOFT"
        AND re.regex($e.target.resource.name, `(?i)networkSecurityGroups`)
      )
      OR (
        $e.metadata.vendor_name = "GOOGLE"
        AND re.regex($e.target.resource.name, `(?i)compute\.firewalls`)
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

AWS CloudTrail (Chronicle AWS log ingestion) Azure Activity Logs (Chronicle Azure integration) GCP Cloud Audit Logs (Chronicle GCP integration)

Required Tables

UDM events with metadata.vendor_name IN (AMAZON, MICROSOFT, GOOGLE)

False Positives

Cloud-native network automation tools that programmatically manage firewall rules as part of service mesh or zero-trust network architecture implementations
Disaster recovery drills that simulate environment reconstruction including firewall rule provisioning from infrastructure templates
Managed Kubernetes services (EKS, AKS, GKE) that automatically create and modify security groups and firewall rules when deploying load balancers or NodePort services

CrowdStrike LogScale (CQL)

cql

#repo=base_sensor #event_simpleName=CloudAuditEvent
| CloudProvider = /(?i)(aws|azure|gcp)/
| ActionType = /(?i)(AuthorizeSecurityGroupIngress|AuthorizeSecurityGroupEgress|RevokeSecurityGroupIngress|RevokeSecurityGroupEgress|CreateSecurityGroup|DeleteSecurityGroup|networkSecurityGroups|compute\.firewalls)/
| IsOpenToAll := if(RawEvent = /0\.0\.0\.0\/0|::\/0/, "Yes", "No")
| table([_timeutc, CloudProvider, ActorUpn, ActionType, SourceIPAddress, TargetResource, IsOpenToAll])
| sort(field=_timeutc, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Horizon (CSPM) cloud audit events Falcon for AWS CloudTrail ingestion Falcon for Azure Activity Log ingestion Falcon for GCP Audit Log ingestion

Required Tables

base_sensor CloudAuditEvent

False Positives

Falcon Horizon auto-remediation policies configured to automatically roll back non-compliant security group rules may generate self-referential events that trigger this detection
Bulk security group updates during cloud account migrations or consolidations where hundreds of rules are modified in a short timeframe by authorized migration tooling
CI/CD pipelines integrated with CrowdStrike that provision test environments with known-permissive firewall rules that are torn down after test completion

Disable or Modify Cloud Firewall

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections