Azure Event Hub Authorization Rule Created or Updated

  1[metadata]
  2creation_date = "2020/08/18"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with
 11specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named
 12RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's
 13recommended that you treat this rule like an administrative root account and don't use it in your application.
 14"""
 15false_positives = [
 16    """
 17    Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the
 18    username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions
 19    or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false
 20    positives, it can be exempted from the rule.
 21    """,
 22]
 23from = "now-25m"
 24index = ["filebeat-*", "logs-azure*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "Azure Event Hub Authorization Rule Created or Updated"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating Azure Event Hub Authorization Rule Created or Updated
 34
 35Azure Event Hub Authorization Rules manage access to Event Hubs via cryptographic keys, akin to administrative credentials. Adversaries may exploit these rules to gain unauthorized access or escalate privileges, potentially exfiltrating data. The detection rule monitors for the creation or modification of these rules, flagging successful operations to identify potential misuse or unauthorized changes.
 36
 37### Possible investigation steps
 38
 39- Review the Azure activity logs to identify the user or service principal associated with the operation by examining the `azure.activitylogs.operation_name` and `event.outcome` fields.
 40- Check the timestamp of the event to determine when the authorization rule was created or updated, and correlate this with any other suspicious activities around the same time.
 41- Investigate the specific Event Hub namespace affected by the rule change to understand its role and importance within the organization.
 42- Verify if the `RootManageSharedAccessKey` or any other high-privilege authorization rule was involved, as these carry significant risk if misused.
 43- Assess the necessity and legitimacy of the rule change by contacting the user or team responsible for the Event Hub namespace to confirm if the change was authorized and aligns with operational needs.
 44- Examine any subsequent access patterns or data transfers from the affected Event Hub to detect potential data exfiltration or misuse following the rule change.
 45
 46### False positive analysis
 47
 48- Routine administrative updates to authorization rules by IT staff can trigger alerts. To manage this, create exceptions for known administrative accounts or scheduled maintenance windows.
 49- Automated scripts or deployment tools that update authorization rules as part of regular operations may cause false positives. Identify these scripts and exclude their activity from alerts by filtering based on their service principal or user identity.
 50- Changes made by trusted third-party services integrated with Azure Event Hub might be flagged. Verify these services and exclude their operations by adding them to an allowlist.
 51- Frequent updates during development or testing phases can lead to false positives. Consider setting up separate monitoring profiles for development environments to reduce noise.
 52- Legitimate changes made by users with appropriate permissions might be misinterpreted as threats. Regularly review and update the list of authorized users to ensure only necessary personnel have access, and exclude their actions from alerts.
 53
 54### Response and remediation
 55
 56- Immediately revoke or rotate the cryptographic keys associated with the affected Event Hub Authorization Rule to prevent unauthorized access.
 57- Review the Azure Activity Logs to identify any unauthorized access or data exfiltration attempts that may have occurred using the compromised authorization rule.
 58- Implement conditional access policies to restrict access to Event Hub Authorization Rules based on user roles and network locations.
 59- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised.
 60- Conduct a security review of all Event Hub Authorization Rules to ensure that only necessary permissions are granted and that the RootManageSharedAccessKey is not used in applications.
 61- Enhance monitoring and alerting for changes to authorization rules by integrating with a Security Information and Event Management (SIEM) system to detect similar threats in the future.
 62
 63## Setup
 64
 65The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 66references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"]
 67risk_score = 47
 68rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d"
 69severity = "medium"
 70tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Collection", "Resources: Investigation Guide"]
 71timestamp_override = "event.ingested"
 72type = "query"
 73
 74query = '''
 75event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success)
 76'''
 77
 78
 79[[rule.threat]]
 80framework = "MITRE ATT&CK"
 81[[rule.threat.technique]]
 82id = "T1530"
 83name = "Data from Cloud Storage"
 84reference = "https://attack.mitre.org/techniques/T1530/"
 85
 86
 87[rule.threat.tactic]
 88id = "TA0009"
 89name = "Collection"
 90reference = "https://attack.mitre.org/tactics/TA0009/"
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1537"
 95name = "Transfer Data to Cloud Account"
 96reference = "https://attack.mitre.org/techniques/T1537/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0010"
101name = "Exfiltration"
102reference = "https://attack.mitre.org/tactics/TA0010/"