Azure Network Watcher updated
Description
AlphaSOC detected modifications to an Azure Network Watcher configuration. Changes to Network Watcher settings may indicate an attempt to alter network monitoring capabilities, potentially to evade detection or disable cloud logging features.
Impact
Network Watcher configuration changes can impact the effectiveness of network monitoring. Adversaries may modify settings to disable specific monitoring features, alter log destinations, or reduce visibility into network traffic patterns while maintaining the appearance of functional monitoring.
Severity
| Severity | Condition |
|---|---|
Informational | Azure Network Watcher updated |
Investigation and Remediation
Review the specific changes made to the Network Watcher configuration. Verify the identity of the user who made the modifications and confirm the action was authorized. Examine changes to flow log settings, connection monitors, or diagnostic configurations. If unauthorized changes are detected, restore the original configuration and investigate the user's account.
Known False Positives
- Legitimate updates to monitoring configurations
- Infrastructure-as-code deployments modifying network resources
- Adjustments to monitoring scope or log destinations