DET0424 Detection Strategy for Disable or Modify Cloud Firewall

Item	Value
ID	DET0424
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1562.007 (Disable or Modify Cloud Firewall)

Analytics

IaaS

AN1188

Creation, deletion, or modification of security groups and firewall rules in cloud control plane logs that expand access to cloud resources beyond expected baselines. Defender view: unexpected ingress/egress rules permitting 0.0.0.0/0 or opening atypical ports, often correlated with privileged role or API key activity.

Log Sources

Data Component	Name	Channel
Firewall Rule Modification (DC0051)	AWS:CloudTrail	Ingress rule creation or modification for security group
Firewall Disable (DC0043)	AWS:CloudTrail	Removal of restrictive egress rules from a security group

Mutable Elements

Field	Description
AllowedIPRanges	Whitelist approved IP ranges; detect unexpected addition of 0.0.0.0/0 or untrusted CIDRs.
PortScope	Define expected ports for services; flag additions outside this range (e.g., SSH/RDP open to all).
RoleContext	Tune alerts based on whether changes are made by break-glass or admin roles versus automation accounts.
TimeWindow	Correlate rule changes with subsequent suspicious network activity to reduce false positives.