Managed Sentinel – Alert 040
| Alert ID | MS-A040 |
| Alert Name | Firewall configuration change detected (Cisco ASA Firewall) |
| Description | This alert notifies Configuration changes performed by an user on firewall outside of business hours or planned change windows. |
| Severity Level | High |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Execution |
| Log sources | Firewalls |
| False Positive | Approved changes |
| Recommendations | 1. If the change has been approved or associated by the internal operation team, identify the type of change and understand the impact to the organization. 2. Review the specifics of the firewall change such as commands, type, time, account, target system,etc. 3. Rollback the change immediately 4. Investigate via Azure Sentinel for any lateral movements in your network infrastructure related to the specific firewall change 5. Reset password for the account used for firewall change 6. Use MFA for firewall console access |