Impair Defenses: Disable or Modify Cloud Firewall `T1562.007`

Tactic: Stealth

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall.

Authoring guide

Patterns shared across the 53 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (43 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`data_stream.dataset`	24	`eq` 24	`okta.system`, `aws.cloudtrail`, `gcp.audit`, `azure.activitylogs`, `google_workspace.admin`
`EventType`	22	`eq` 13, `wildcard` 6, `in` 5, `ends_with` 3	`AuthorizeSecurityGroupIngress`, `.compute.firewalls.delete`, `.compute.firewalls.insert`, `.compute.firewalls.patch`, `ADD_TRUSTED_DOMAINS`
`data.type`	13	`eq` 13	`sapi`, `f`, `fcoa`, `fepft`
`data.description`	11	`eq` 11	`Create or update the anomaly detection captcha`, `Update Brute-force settings`, `Update Suspicious IP Throttling settings`, `Update Breached Password Detection settings`, `Update a client`
`event.outcome`	10	`eq` 8, `in` 2	`success`, `Success`
`Provider_Name`	7	`eq` 5, `in` 2	`ec2.amazonaws.com`, `waf-regional.amazonaws.com`, `waf.amazonaws.com`, `wafv2.amazonaws.com`, `admin`
`aws::eventName`	7	`in` 6, `eq` 1	`AuthorizeDBSecurityGroupIngress`, `CreateNetworkAclEntry`, `ApplySecurityGroupsToLoadBalancer`, `AuthorizeSecurityGroupEgress`, `AuthorizeSecurityGroupIngress`
`OperationName`	5	`eq` 5	`Update conditional access policy`, `Add conditional access policy`, `Delete conditional access policy`
`data.details.response.body.enabled`	4	`eq` 4	`false`
`aws::errorCode`	3	`is_null` 3
`aws::eventSource`	3	`eq` 2, `ne` 1	`rds.amazonaws.com`, `apigateway.amazonaws.com`
`data.details.response.statusCode`	3	`eq` 3	`200`
`azure.activitylogs.operation_name`	2	`eq` 2	`MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE`, `MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE`
`data.details.request.body.enabled`	2	`eq` 2	`false`
`data.details.response.body.shields{}`	2	`eq` 2	`block`

Top indicator values (146 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`data.type`	`eq`	`sapi` sigmaAttack protection features manipulation - some attack protection features have been disabled. sigmaBot detection - the feature is turned off completely or some policies. sigmaBreached Password Detection - critical settings manipulated sigmaBrute Force Protection - critical settings manipulated sigmaInsecure OAuth2.x flows have been enabled for some applications sigmaLoaded LiquidJS error page template contains XSS vulnerabilities sigmaMFA downgrade - adaptive MFA risk assessment disabled sigmaMFA downgrade - disable MFA policies by modifying the policies sigmaMFA downgrade - disable strong factors sigmaSuspicious IP Throttling - critical settings manipulated sigmaUnauthorized or Unexpected Enabling of Cross-Origin Authentication (CORS) sigmaUnrecognized IP in attack protection allowlists	12	18
`data_stream.dataset`	`eq`	`okta.system` elasticAttempt to Deactivate an Okta Network Zone elasticAttempt to Deactivate an Okta Policy elasticAttempt to Deactivate an Okta Policy Rule elasticAttempt to Delete an Okta Network Zone elasticAttempt to Delete an Okta Policy elasticAttempt to Delete an Okta Policy Rule elasticAttempt to Modify an Okta Network Zone elasticAttempt to Modify an Okta Policy elasticAttempt to Modify an Okta Policy Rule	9	48
`data_stream.dataset`	`eq`	`aws.cloudtrail` elasticAWS EC2 Network Access Control List Creation elasticAWS EC2 Network Access Control List Deletion elasticAWS EC2 Security Group Configuration Change elasticAWS WAF Access Control List Deletion elasticAWS WAF Rule or Rule Group Deletion elasticInsecure AWS EC2 VPC Security Group Ingress Rule Added	6	141
`data_stream.dataset`	`eq`	`gcp.audit` elasticGCP Firewall Rule Creation elasticGCP Firewall Rule Deletion elasticGCP Firewall Rule Modification elasticGCP Virtual Private Cloud Network Deletion elasticGCP Virtual Private Cloud Route Creation elasticGCP Virtual Private Cloud Route Deletion	6	23
`data_stream.dataset`	`eq`	`azure.activitylogs` elasticAzure VNet Firewall Front Door WAF Policy Deleted elasticAzure VNet Firewall Policy Deleted	2	34
`event.outcome`	`eq`	`success` elasticAWS EC2 Network Access Control List Creation elasticAWS EC2 Network Access Control List Deletion elasticAWS EC2 Security Group Configuration Change elasticAWS WAF Access Control List Deletion elasticAWS WAF Rule or Rule Group Deletion elasticGCP Virtual Private Cloud Network Deletion elasticGCP Virtual Private Cloud Route Deletion elasticInsecure AWS EC2 VPC Security Group Ingress Rule Added	8	251
`Provider_Name`	`eq`	`ec2.amazonaws.com` elasticAWS EC2 Network Access Control List Creation elasticAWS EC2 Network Access Control List Deletion elasticAWS EC2 Security Group Configuration Change elasticInsecure AWS EC2 VPC Security Group Ingress Rule Added	4	19
`data.details.response.body.enabled`	`eq`	`false` sigmaAttack protection features manipulation - some attack protection features have been disabled. sigmaBreached Password Detection - critical settings manipulated sigmaBrute Force Protection - critical settings manipulated sigmaSuspicious IP Throttling - critical settings manipulated	4	4
`OperationName`	`eq`	`Update conditional access policy` kustoConditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed) kustoConditional Access - A Conditional Access policy was disabled kustoConditional Access - A Conditional Access policy was put into report-only mode	3	6
`data.description`	`eq`	`Create or update the anomaly detection captcha` sigmaAttack protection features manipulation - some attack protection features have been disabled. sigmaBot detection - the feature is turned off completely or some policies. sigmaUnrecognized IP in attack protection allowlists	3	4
`data.description`	`eq`	`Update Brute-force settings` sigmaAttack protection features manipulation - some attack protection features have been disabled. sigmaBrute Force Protection - critical settings manipulated sigmaUnrecognized IP in attack protection allowlists	3	3
`data.description`	`eq`	`Update Suspicious IP Throttling settings` sigmaAttack protection features manipulation - some attack protection features have been disabled. sigmaSuspicious IP Throttling - critical settings manipulated sigmaUnrecognized IP in attack protection allowlists	3	3
`data.details.response.statusCode`	`eq`	`200` sigmaBot detection - the feature is turned off completely or some policies. sigmaInsecure OAuth2.x flows have been enabled for some applications sigmaMFA downgrade - adaptive MFA risk assessment disabled	3	5
`Provider_Name`	`in`	`waf-regional.amazonaws.com` elasticAWS WAF Access Control List Deletion elasticAWS WAF Rule or Rule Group Deletion	2	2
`Provider_Name`	`in`	`waf.amazonaws.com` elasticAWS WAF Access Control List Deletion elasticAWS WAF Rule or Rule Group Deletion	2	2
`Provider_Name`	`in`	`wafv2.amazonaws.com` elasticAWS WAF Access Control List Deletion elasticAWS WAF Rule or Rule Group Deletion	2	2
`aws::eventName`	`in`	`CreateNetworkAclEntry` kustoAWSCloudTrail - Changes to Amazon VPC settings kustoAWSCloudTrail - Network ACL with all the open ports to a specified CIDR	2	3
`aws::eventSource`	`eq`	`rds.amazonaws.com` pantherAWS RDS Instance Modified to be Publicly Accessible pantherAWS RDS Security Group Ingress Authorized	2	23
`data.details.request.body.enabled`	`eq`	`false` sigmaAttack protection features manipulation - some attack protection features have been disabled. sigmaMFA downgrade - disable strong factors	2	2
`data.details.response.body.shields{}`	`eq`	`block` sigmaBreached Password Detection - critical settings manipulated sigmaBrute Force Protection - critical settings manipulated	2
`event.outcome`	`in`	`Success` elasticAzure VNet Firewall Front Door WAF Policy Deleted elasticAzure VNet Firewall Policy Deleted	2	37
`event.outcome`	`in`	`success` elasticAzure VNet Firewall Front Door WAF Policy Deleted elasticAzure VNet Firewall Policy Deleted	2	38
`stateOld`	`eq`	`enabled` kustoConditional Access - A Conditional Access policy was disabled kustoConditional Access - A Conditional Access policy was put into report-only mode	2	2
`EventID`	`eq`	`ADD_TRUSTED_DOMAINS` chronicleGoogle Workspace New Trusted Domain Added	1
`EventType`	`ends_with`	`.compute.firewalls.delete` elasticGCP Firewall Rule Deletion	1
`EventType`	`ends_with`	`.compute.firewalls.insert` elasticGCP Firewall Rule Creation	1
`EventType`	`ends_with`	`.compute.firewalls.patch` elasticGCP Firewall Rule Modification	1
`EventType`	`eq`	`ADD_TRUSTED_DOMAINS` elasticDomain Added to Google Workspace Trusted Domains	1
`EventType`	`eq`	`AuthorizeSecurityGroupIngress` elasticInsecure AWS EC2 VPC Security Group Ingress Rule Added	1
`EventType`	`eq`	`DeleteWebACL` elasticAWS WAF Access Control List Deletion	1

Exclusions (3 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`data.details.response.body.shields{}`	`eq`	`block` sigmaBreached Password Detection - critical settings manipulated sigmaBrute Force Protection - critical settings manipulated	2
`data.details.response.body.stage.pre-user-registration.shields{}`	`eq`	`block` sigmaBreached Password Detection - critical settings manipulated	1
`data.request.body.allowlist`	`eq`	`192.0.2.0/24` sigmaUnrecognized IP in attack protection allowlists	1

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Impair Defenses: Disable or Modify Cloud Firewall `T1562.007`

Authoring guide

Fields filtered most (43 distinct)

Top indicator values (146 distinct)

Exclusions (3 distinct)

Rules under this technique

Sigma 14 rules

Elastic 24 rules

Kusto 10 rules

YARA-L 1 rule

Panther 4 rules

Keyboard shortcuts

Search operators

Impair Defenses: Disable or Modify Cloud Firewall T1562.007

Authoring guide

Fields filtered most (43 distinct)

Top indicator values (146 distinct)

Exclusions (3 distinct)

Rules under this technique

Sigma 14 rules

Elastic 24 rules

Kusto 10 rules

YARA-L 1 rule

Panther 4 rules

Impair Defenses: Disable or Modify Cloud Firewall `T1562.007`