Azure Full Network Packet Capture Detected
Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/08/12"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Austin Songer"]
9description = """
10Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can
11be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted
12internal traffic.
13"""
14false_positives = [
15 """
16 Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user
17 agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar
18 users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
19 rule.
20 """,
21]
22from = "now-25m"
23index = ["filebeat-*", "logs-azure*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Azure Full Network Packet Capture Detected"
27note = """## Setup
28
29The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"]
31risk_score = 47
32rule_id = "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f"
33severity = "medium"
34tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access"]
35timestamp_override = "event.ingested"
36type = "query"
37
38query = '''
39event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
40 (
41 MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION or
42 MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION or
43 MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE
44 ) and
45event.outcome:(Success or success)
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1040"
53name = "Network Sniffing"
54reference = "https://attack.mitre.org/techniques/T1040/"
55
56
57[rule.threat.tactic]
58id = "TA0006"
59name = "Credential Access"
60reference = "https://attack.mitre.org/tactics/TA0006/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Key Vault Modified
- Azure Storage Account Key Regenerated
- AWS EC2 Admin Credential Fetch via Assumed Role
- AWS IAM Brute Force of Assume Role Policy
- AWS IAM User Addition to Group