Creation, deletion, or modification of security groups and firewall rules in cloud control plane logs that expand access to cloud resources beyond expected baselines. Defender view: unexpected ingress/egress rules permitting 0.0.0.0/0 or opening atypical ports, often correlated with privileged role or API key activity.
| Data Component | Name | Channel |
|---|---|---|
| Firewall Rule Modification (DC0051) | AWS:CloudTrail | Ingress rule creation or modification for security group |
| Firewall Disable (DC0043) | AWS:CloudTrail | Removal of restrictive egress rules from a security group |
| Field | Description |
|---|---|
| AllowedIPRanges | Whitelist approved IP ranges; detect unexpected addition of 0.0.0.0/0 or untrusted CIDRs. |
| PortScope | Define expected ports for services; flag additions outside this range (e.g., SSH/RDP open to all). |
| RoleContext | Tune alerts based on whether changes are made by break-glass or admin roles versus automation accounts. |
| TimeWindow | Correlate rule changes with subsequent suspicious network activity to reduce false positives. |