Azure Event Hub Authorization Rule Created or Updated

Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/18"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with
11specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named
12RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's
13recommended that you treat this rule like an administrative root account and don't use it in your application.
14"""
15false_positives = [
16    """
17    Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the
18    username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions
19    or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false
20    positives, it can be exempted from the rule.
21    """,
22]
23from = "now-25m"
24index = ["filebeat-*", "logs-azure*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Azure Event Hub Authorization Rule Created or Updated"
28note = """## Setup
29
30The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
31references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"]
32risk_score = 47
33rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d"
34severity = "medium"
35tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Collection"]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success)
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1530"
48name = "Data from Cloud Storage"
49reference = "https://attack.mitre.org/techniques/T1530/"
50
51
52[rule.threat.tactic]
53id = "TA0009"
54name = "Collection"
55reference = "https://attack.mitre.org/tactics/TA0009/"
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1537"
60name = "Transfer Data to Cloud Account"
61reference = "https://attack.mitre.org/techniques/T1537/"
62
63
64[rule.threat.tactic]
65id = "TA0010"
66name = "Exfiltration"
67reference = "https://attack.mitre.org/tactics/TA0010/"

Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top