Detect Disable or Modify Cloud Firewall in IBM QRadar
Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, adversaries may create new ingress rules in existing security groups or create new security groups entirely to allow any TCP/IP connectivity.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.007 Disable or Modify Cloud Firewall
- Canonical reference
- https://attack.mitre.org/techniques/T1562/007/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
username AS actor,
sourceip AS source_ip,
QIDNAME(qid) AS event_name,
"deviceEventCategory" AS event_category,
"URL" AS raw_action,
CASE
WHEN "URL" ILIKE '%0.0.0.0/0%' OR "URL" ILIKE '%::/0%' THEN 'Yes'
ELSE 'No'
END AS open_to_all,
CASE
WHEN LOGSOURCETYPEID(logsourceid) = 347 THEN 'AWS'
WHEN LOGSOURCETYPEID(logsourceid) = 433 THEN 'Azure'
WHEN LOGSOURCETYPEID(logsourceid) = 459 THEN 'GCP'
ELSE 'Unknown'
END AS cloud_provider
FROM events
WHERE starttime > NOW() - 86400000
AND (
(LOGSOURCETYPEID(logsourceid) = 347
AND "deviceEventCategory" IN (
'AuthorizeSecurityGroupIngress', 'AuthorizeSecurityGroupEgress',
'RevokeSecurityGroupIngress', 'RevokeSecurityGroupEgress',
'CreateSecurityGroup', 'DeleteSecurityGroup'
))
OR (LOGSOURCETYPEID(logsourceid) = 433
AND ("deviceEventCategory" ILIKE '%networkSecurityGroups%'
OR "URL" ILIKE '%networkSecurityGroups%'))
OR (LOGSOURCETYPEID(logsourceid) = 459
AND ("deviceEventCategory" ILIKE '%compute.firewalls%'
OR "URL" ILIKE '%compute.firewalls%'))
)
ORDER BY starttime DESCQRadar AQL query correlating cloud firewall modification events across AWS CloudTrail, Azure Audit Logs, and GCP Audit Logs. Identifies security group and NSG changes, flags rules opening access to the entire internet (0.0.0.0/0), and enriches each event with the responsible cloud provider and actor identity.
Data Sources
Required Tables
False Positives & Tuning
- Automated cloud governance platforms (AWS Config Rules, Azure Policy) that auto-remediate non-compliant security group configurations by modifying or recreating rules
- DevOps tooling running in headless service accounts that dynamically provision and tear down security groups for ephemeral test environments
- Cloud migration projects where large numbers of security groups are created or cloned in bulk during cutover windows
Other platforms for T1562.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Security Group Ingress Rule Addition
Expected signal: CloudTrail event: AuthorizeSecurityGroupIngress with requestParameters showing port 22 and 0.0.0.0/0 CIDR. GuardDuty finding: UnauthorizedAccess:EC2/TorIPCaller if from suspicious IP.
- Test 2Azure NSG Rule Addition
Expected signal: Azure Activity Log: Microsoft.Network/networkSecurityGroups/securityRules/write operation.
- Test 3AWS GuardDuty IP Allowlisting via Pacu
Expected signal: CloudTrail event: CreateIPSet for GuardDuty. This is a critical indicator of defense impairment in AWS.
Unlock Pro Content
Get the full detection package for T1562.007 including response playbook, investigation guide, and atomic red team tests.