Defender observes configuration changes on firewall/network appliance involving rule creation, modification, or deletion from abnormal management IPs or non-console channels (e.g., remote CLI, API). These are often correlated with a spike in previously blocked outbound traffic, unexpected allow-all rules, or bulk rule deletions. Behavior often follows unauthorized login, privilege escalation, or API abuse.
| Data Component | Name | Channel |
|---|---|---|
| Firewall Rule Modification (DC0051) | networkdevice:Firewall | update_rule: Access control or NAT rule modified or disabled outside maintenance window |
| Logon Session Creation (DC0067) | networkdevice:Firewall | Login from untrusted IP, or new admin account accessing firewall console/API |
| Command Execution (DC0064) | networkdevice:Firewall | Audit trail or CLI/API access indicating commands like no access-list, delete rule-set, clear config |
| Network Connection Creation (DC0082) | NSM:Flow | Outbound traffic spike through formerly blocked ports/subnets following config change |
| Field | Description |
|---|---|
| TrustedAdminIPs | Allowlisted IPs/subnets where administrative access is expected (e.g., jump box, VPN mgmt) |
| ConfigChangeWindow | Expected maintenance window (e.g., 02:00–04:00 UTC) to filter benign changes |
| RuleScopeThreshold | Number of rules affected or port ranges modified to determine severity |
| NewUserPrivilegeThreshold | Flag new users making changes without observed privilege elevation path |