Azure Full Network Packet Capture Detected
Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/08/12"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/28"
8
9[rule]
10author = ["Austin Songer"]
11description = """
12Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can
13be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted
14internal traffic.
15"""
16false_positives = [
17 """
18 Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user
19 agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar
20 users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
21 rule.
22 """,
23]
24from = "now-25m"
25index = ["filebeat-*", "logs-azure*"]
26language = "kuery"
27license = "Elastic License v2"
28name = "Azure Full Network Packet Capture Detected"
29note = """## Setup
30
31The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
32references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"]
33risk_score = 47
34rule_id = "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f"
35severity = "medium"
36tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
42 (
43 MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION or
44 MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION or
45 MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE
46 ) and
47event.outcome:(Success or success)
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1040"
55name = "Network Sniffing"
56reference = "https://attack.mitre.org/techniques/T1040/"
57
58
59[rule.threat.tactic]
60id = "TA0006"
61name = "Credential Access"
62reference = "https://attack.mitre.org/tactics/TA0006/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Key Vault Modified
- Azure Storage Account Key Regenerated
- Azure AD Global Administrator Role Assigned
- Azure Active Directory High Risk Sign-in
- Azure Active Directory High Risk User Sign-in Heuristic