Azure Event Hub Authorization Rule Created or Updated
Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with
13specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named
14RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's
15recommended that you treat this rule like an administrative root account and don't use it in your application.
16"""
17false_positives = [
18 """
19 Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the
20 username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions
21 or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false
22 positives, it can be exempted from the rule.
23 """,
24]
25from = "now-25m"
26index = ["filebeat-*", "logs-azure*"]
27language = "kuery"
28license = "Elastic License v2"
29name = "Azure Event Hub Authorization Rule Created or Updated"
30note = """## Setup
31
32The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
33references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"]
34risk_score = 47
35rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d"
36severity = "medium"
37tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Collection"]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success)
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1530"
50name = "Data from Cloud Storage"
51reference = "https://attack.mitre.org/techniques/T1530/"
52
53
54[rule.threat.tactic]
55id = "TA0009"
56name = "Collection"
57reference = "https://attack.mitre.org/tactics/TA0009/"
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1537"
63name = "Transfer Data to Cloud Account"
64reference = "https://attack.mitre.org/techniques/T1537/"
65
66
67[rule.threat.tactic]
68id = "TA0010"
69name = "Exfiltration"
70reference = "https://attack.mitre.org/tactics/TA0010/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
This article provides information about authorizing access to Azure Event Hubs resources by using Shared Access Signatures (SAS).
Read More
Related rules
- Azure Command Execution on Virtual Machine
- Azure Event Hub Deletion
- Azure Kubernetes Events Deleted
- Azure Resource Group Deletion
- GCP Pub/Sub Subscription Creation