Excessive Secret or Key Retrieval from Azure Key Vault

  1[metadata]
  2creation_date = "2025/07/10"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/07/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies excessive secret or key retrieval operations from Azure Key Vault. This rule detects when a user principal
 11retrieves secrets or keys from Azure Key Vault multiple times within a short time frame, which may indicate potential
 12abuse or unauthorized access attempts. The rule focuses on high-frequency retrieval operations that deviate from normal
 13user behavior, suggesting possible credential harvesting or misuse of sensitive information.
 14"""
 15false_positives = [
 16    """
 17    Service accounts or applications that frequently access Azure Key Vault for configuration or operational purposes
 18    may trigger this rule.
 19    """,
 20    """
 21    Automated scripts or processes that retrieve secrets or keys for legitimate purposes, such as secret rotation or
 22    application configuration, may also lead to false positives.
 23    """,
 24    """
 25    Security teams performing routine audits or assessments that involve retrieving keys or secrets from Key Vaults may
 26    trigger this rule if they perform multiple retrievals in a short time frame.
 27    """,
 28]
 29from = "now-9m"
 30interval = "8m"
 31language = "esql"
 32license = "Elastic License v2"
 33name = "Excessive Secret or Key Retrieval from Azure Key Vault"
 34note = """## Triage and analysis
 35
 36### Investigating Excessive Secret or Key Retrieval from Azure Key Vault
 37
 38Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts.
 39
 40### Possible investigation steps
 41- Review the `azure.platformlogs.identity.claim.upn` field to identify the user principal making the retrieval requests. This can help determine if the activity is legitimate or suspicious.
 42- Check the `azure.platformlogs.identity.claim.appid` or `azure.platformlogs.identity.claim.appid_display_name` to identify the application or service making the requests. If the application is not recognized or authorized, it may indicate a potential security incident. It is plausible that the application is a FOCI compliant application, which are commonly abused by adversaries to evade security controls or conditional access policies.
 43- Analyze the `azure.platformlogs.resource.name` field to determine which Key Vault is being accessed. This can help assess the impact of the retrieval operations and whether they target sensitive resources.
 44- Review the `event.action` field to confirm the specific actions being performed, such as `KeyGet`, `SecretGet`, or `CertificateGet`. These actions indicate retrieval of keys, secrets, or certificates from the Key Vault.
 45- Check the `source.ip` or `geo.*` fields to identify the source of the retrieval requests. Look for unusual or unexpected IP addresses, especially those associated with known malicious activity or geographic locations that do not align with the user's typical behavior.
 46- Use the `time_window` field to analyze the frequency of retrieval operations. If multiple retrievals occur within a short time frame (e.g., within a few minutes), it may indicate excessive or suspicious activity.
 47- Correlate the retrieval operations with other security events or alerts in the environment to identify any patterns or related incidents.
 48- Triage the user with Entra ID sign-in logs to gather more context about their authentication behavior and any potential anomalies.
 49
 50### False positive analysis
 51- Routine administrative tasks or automated scripts may trigger excessive retrievals, especially in environments where Key Vaults are heavily utilized for application configurations or secrets management. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
 52- Legitimate applications or services may perform frequent retrievals of keys or secrets for operational purposes, such as configuration updates or secret rotation. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
 53- Security teams may perform periodic audits or assessments that involve retrieving keys or secrets from Key Vaults. If this is expected behavior, consider adjusting the rule or adding exceptions for specific user principals or applications.
 54- Some applications may require frequent access to keys or secrets for normal operation, leading to high retrieval counts. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
 55
 56### Response and remediation
 57- Investigate the user principal making the excessive retrieval requests to determine if they are authorized to access the Key Vault and its contents. If the user is not authorized, take appropriate actions to block their access and prevent further unauthorized retrievals.
 58- Review the application or service making the requests to ensure it is legitimate and authorized to access the Key Vault. If the application is unauthorized or suspicious, consider blocking it and revoking its permissions to access the Key Vault.
 59- Assess the impact of the excessive retrieval operations on the Key Vault and its contents. Determine if any sensitive data was accessed or compromised during the retrievals.
 60- Implement additional monitoring and alerting for the Key Vault to detect any further suspicious activity or unauthorized access attempts.
 61- Consider implementing stricter access controls or policies for Key Vaults to limit excessive retrievals and ensure that only authorized users and applications can access sensitive keys and secrets.
 62- Educate users and administrators about the risks associated with excessive retrievals from Key Vaults and encourage them to follow best practices for managing keys and secrets in Azure environments.
 63"""
 64references = ["https://www.inversecos.com/2022/05/detection-and-compromise-azure-key.html"]
 65risk_score = 43
 66rule_id = "c07f7898-5dc3-11f0-9f27-f661ea17fbcd"
 67setup = """#### Required Azure Key Vault Diagnostic Logs
 68
 69To ensure this rule functions correctly, the following diagnostic logs must be enabled for Azure Key Vault:
 70- AuditEvent: This log captures all read and write operations performed on the Key Vault, including secret, key, and certificate retrievals. These logs should be streamed to the Event Hub used for the Azure integration configuration.
 71"""
 72severity = "medium"
 73tags = [
 74    "Domain: Cloud",
 75    "Domain: Storage",
 76    "Domain: Identity",
 77    "Data Source: Azure",
 78    "Data Source: Azure Platform Logs",
 79    "Data Source: Azure Key Vault",
 80    "Use Case: Threat Detection",
 81    "Use Case: Identity and Access Audit",
 82    "Tactic: Credential Access",
 83    "Resources: Investigation Guide",
 84]
 85timestamp_override = "event.ingested"
 86type = "esql"
 87
 88query = '''
 89from logs-azure.platformlogs-* metadata _id, _index
 90
 91// Filter for Azure Key Vault read operations
 92| where event.dataset == "azure.platformlogs"
 93  and event.action in (
 94    "VaultGet",
 95    "KeyGet",
 96    "KeyList",
 97    "KeyListVersions",
 98    "KeyGetDeleted",
 99    "KeyListDeleted",
100    "SecretGet",
101    "SecretList",
102    "SecretListVersions",
103    "SecretGetDeleted",
104    "SecretListDeleted",
105    "CertificateGet",
106    "CertificateList",
107    "CertificateListVersions",
108    "CertificateGetDeleted",
109    "CertificateListDeleted",
110    "CertificatePolicyGet",
111    "CertificateContactsGet",
112    "CertificateIssuerGet",
113    "CertificateIssuersList"
114  )
115
116// Truncate timestamps into 1-minute windows
117| eval Esql.time_window_date_trunc = date_trunc(1 minute, @timestamp)
118
119// Aggregate identity, geo, resource, and activity info
120| stats
121    Esql_priv.azure_platformlogs_identity_claim_upn_values = values(azure.platformlogs.identity.claim.upn),
122    Esql.azure_platformlogs_identity_claim_upn_count_distinct = count_distinct(azure.platformlogs.identity.claim.upn),
123    Esql.azure_platformlogs_identity_claim_appid_values = values(azure.platformlogs.identity.claim.appid),
124    Esql.azure_platformlogs_identity_claim_objectid_values = values(azure.platformlogs.identity.claim.objectid),
125
126    Esql.source_ip_values = values(source.ip),
127    Esql.geo_city_values = values(geo.city_name),
128    Esql.geo_region_values = values(geo.region_name),
129    Esql.geo_country_values = values(geo.country_name),
130    Esql.source_as_organization_name_values = values(source.as.organization.name),
131
132    Esql.event_action_values = values(event.action),
133    Esql.event_count = count(*),
134    Esql.event_action_count_distinct = count_distinct(event.action),
135    Esql.azure_resource_name_count_distinct = count_distinct(azure.resource.name),
136    Esql.azure_resource_name_values = values(azure.resource.name),
137    Esql.azure_platformlogs_result_type_values = values(azure.platformlogs.result_type),
138    Esql.cloud_region_values = values(cloud.region),
139
140    Esql.agent_name_values = values(agent.name),
141    Esql.azure_subscription_id_values = values(azure.subscription_id),
142    Esql.azure_resource_group_values = values(azure.resource.group),
143    Esql.azure_resource_id_values = values(azure.resource.id)
144
145by Esql.time_window_date_trunc, azure.platformlogs.identity.claim.upn
146
147// keep relevant fields
148| keep
149    Esql.time_window_date_trunc,
150    Esql_priv.azure_platformlogs_identity_claim_upn_values,
151    Esql.azure_platformlogs_identity_claim_upn_count_distinct,
152    Esql.azure_platformlogs_identity_claim_appid_values,
153    Esql.azure_platformlogs_identity_claim_objectid_values,
154    Esql.source_ip_values,
155    Esql.geo_city_values,
156    Esql.geo_region_values,
157    Esql.geo_country_values,
158    Esql.source_as_organization_name_values,
159    Esql.event_action_values,
160    Esql.event_count,
161    Esql.event_action_count_distinct,
162    Esql.azure_resource_name_count_distinct,
163    Esql.azure_resource_name_values,
164    Esql.azure_platformlogs_result_type_values,
165    Esql.cloud_region_values,
166    Esql.agent_name_values,
167    Esql.azure_subscription_id_values,
168    Esql.azure_resource_group_values,
169    Esql.azure_resource_id_values
170
171// Filter for suspiciously high volume of distinct Key Vault reads by a single actor
172| where Esql.azure_platformlogs_identity_claim_upn_count_distinct == 1 and Esql.event_count >= 10 and Esql.event_action_count_distinct >= 2
173
174| sort Esql.time_window_date_trunc desc
175'''
176
177
178[[rule.threat]]
179framework = "MITRE ATT&CK"
180[[rule.threat.technique]]
181id = "T1555"
182name = "Credentials from Password Stores"
183reference = "https://attack.mitre.org/techniques/T1555/"
184[[rule.threat.technique.subtechnique]]
185id = "T1555.006"
186name = "Cloud Secrets Management Stores"
187reference = "https://attack.mitre.org/techniques/T1555/006/"
188
189
190
191[rule.threat.tactic]
192id = "TA0006"
193name = "Credential Access"
194reference = "https://attack.mitre.org/tactics/TA0006/"