Managed Sentinel – Alert 040

Alert IDMS-A040
Alert NameFirewall configuration change detected (Cisco ASA Firewall)
DescriptionThis alert notifies Configuration changes performed by an user on firewall outside of business hours or planned change windows.
Severity LevelHigh
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsExecution
Log sourcesFirewalls
False PositiveApproved changes
Recommendations1. If the change has been approved or associated by the internal operation team, identify the type of change and understand the impact to the organization.
2. Review the specifics of the firewall change such as commands, type, time, account, target system,etc.
3. Rollback the change immediately
4. Investigate via Azure Sentinel for any lateral movements in your network infrastructure related to the specific firewall change
5. Reset password for the account used for firewall change
6. Use MFA for firewall console access