Which SIEM platforms have a T1562.007 detection rule?

df00tech provides T1562.007 (Disable or Modify Cloud Firewall) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Disable or Modify Cloud Firewall (T1562.007)?

Detecting Disable or Modify Cloud Firewall requires the following data sources: Cloud Service: Cloud Service Modification, Firewall: Firewall Rule Modification, AWS CloudTrail, Azure Activity Log, GCP Audit Log.

What severity and confidence is the T1562.007 detection?

The T1562.007 detection is rated high severity with medium confidence.

What are common false positives for T1562.007?

Common false positives for T1562.007 include: Cloud infrastructure teams deploying new services with appropriate security group configurations; Infrastructure-as-Code pipelines (Terraform, CloudFormation, ARM templates) that manage security groups during deployment; Auto-scaling events that create temporary security groups for new instances.

T1562.007 Elastic Security · Elastic

Detect Disable or Modify Cloud Firewall in Elastic Security

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, adversaries may create new ingress rules in existing security groups or create new security groups entirely to allow any TCP/IP connectivity.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1562 Impair Defenses
Sub-technique: T1562.007 Disable or Modify Cloud Firewall
Canonical reference: https://attack.mitre.org/techniques/T1562/007/

Elastic Detection Query

Elastic Security (Elastic)

eql

any where event.dataset in ("aws.cloudtrail", "azure.auditlogs", "gcp.audit") and (
  (event.dataset == "aws.cloudtrail" and event.action in (
    "AuthorizeSecurityGroupIngress", "AuthorizeSecurityGroupEgress",
    "RevokeSecurityGroupIngress", "RevokeSecurityGroupEgress",
    "CreateSecurityGroup", "DeleteSecurityGroup"
  )) or
  (event.dataset == "azure.auditlogs" and azure.auditlogs.operation_name : "*networkSecurityGroups*") or
  (event.dataset == "gcp.audit" and gcp.audit.method_name : "*compute.firewalls*")
)

high severity medium confidence

Detects creation, modification, or deletion of cloud firewall rules across AWS, Azure, and GCP. Focuses on security group ingress/egress rule changes and network security group modifications that may indicate an adversary attempting to weaken perimeter controls or expose resources to the internet.

Data Sources

AWS CloudTrail (via Filebeat aws module)Azure Audit Logs (via Azure integration)GCP Audit Logs (via GCP integration)

Required Tables

logs-aws.cloudtrail-*logs-azure.auditlogs-*logs-gcp.audit-*

False Positives & Tuning

Legitimate infrastructure-as-code deployments (Terraform, CloudFormation, Pulumi) that routinely create and modify security groups as part of CI/CD pipelines
Cloud security posture management (CSPM) tools such as Prisma Cloud or AWS Security Hub performing remediation actions
Authorized network engineers performing scheduled maintenance on firewall rules during approved change windows

Download portable Sigma rule (.yml)

Other platforms for T1562.007

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1AWS Security Group Ingress Rule Addition
Expected signal: CloudTrail event: AuthorizeSecurityGroupIngress with requestParameters showing port 22 and 0.0.0.0/0 CIDR. GuardDuty finding: UnauthorizedAccess:EC2/TorIPCaller if from suspicious IP.
Test 2Azure NSG Rule Addition
Expected signal: Azure Activity Log: Microsoft.Network/networkSecurityGroups/securityRules/write operation.
Test 3AWS GuardDuty IP Allowlisting via Pacu
Expected signal: CloudTrail event: CreateIPSet for GuardDuty. This is a critical indicator of defense impairment in AWS.

Last updated: 2026-04-20 Research depth: deep

References (4)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1562.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detect Disable or Modify Cloud Firewall in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1562.007

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1562.007

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox