Azure Key Vault Secret Key Usage by Unusual Identity

  1[metadata]
  2creation_date = "2025/07/10"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/07/22"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies secrets, keys, or certificates retrieval operations from Azure Key Vault by a user principal that has not
 11been seen previously doing so in a certain amount of days. Azure Key Vault is a cloud service for securely storing and accessing secrets,
 12keys, and certificates. Unauthorized or excessive retrievals may indicate potential abuse or unauthorized access
 13attempts.
 14"""
 15false_positives = [
 16    """
 17    Service accounts or applications that frequently access Azure Key Vault for configuration or operational purposes
 18    may trigger this rule.
 19    """,
 20    """
 21    Automated scripts or processes that retrieve secrets or keys for legitimate purposes, such as secret rotation or
 22    application configuration, may also lead to false positives.
 23    """,
 24    """
 25    Security teams performing routine audits or assessments that involve retrieving keys or secrets from Key Vaults may
 26    trigger this rule if they perform multiple retrievals in a short time frame.
 27    """,
 28]
 29from = "now-9m"
 30index = ["filebeat-*", "logs-azure.platformlogs-*"]
 31language = "kuery"
 32license = "Elastic License v2"
 33name = "Azure Key Vault Secret Key Usage by Unusual Identity"
 34note = """## Triage and analysis
 35
 36### Investigating Azure Key Vault Secret Key Usage by Unusual Identity
 37
 38Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts.
 39
 40### Possible investigation steps
 41- Review the `azure.platformlogs.identity.claim.upn` field to identify the user principal making the retrieval requests. This can help determine if the activity is legitimate or suspicious.
 42- Check the `azure.platformlogs.identity.claim.appid` or `azure.platformlogs.identity.claim.appid_display_name` to identify the application or service making the requests. If the application is not recognized or authorized, it may indicate a potential security incident. It is plausible that the application is a FOCI compliant application, which are commonly abused by adversaries to evade security controls or conditional access policies.
 43- Analyze the `azure.platformlogs.resource.name` field to determine which Key Vault is being accessed. This can help assess the impact of the retrieval operations and whether they target sensitive resources.
 44- Review the `event.action` field to confirm the specific actions being performed, such as `KeyGet`, `SecretGet`, or `CertificateGet`. These actions indicate retrieval of keys, secrets, or certificates from the Key Vault.
 45- Check the `source.ip` or `geo.*` fields to identify the source of the retrieval requests. Look for unusual or unexpected IP addresses, especially those associated with known malicious activity or geographic locations that do not align with the user's typical behavior.
 46- Use the `time_window` field to analyze the frequency of retrieval operations. If multiple retrievals occur within a short time frame (e.g., within a few minutes), it may indicate excessive or suspicious activity.
 47- Correlate the retrieval operations with other security events or alerts in the environment to identify any patterns or related incidents.
 48- Triage the user with Entra ID sign-in logs to gather more context about their authentication behavior and any potential anomalies.
 49
 50### False positive analysis
 51- Routine administrative tasks or automated scripts may trigger excessive retrievals, especially in environments where Key Vaults are heavily utilized for application configurations or secrets management. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
 52- Legitimate applications or services may perform frequent retrievals of keys or secrets for operational purposes, such as configuration updates or secret rotation. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
 53- Security teams may perform periodic audits or assessments that involve retrieving keys or secrets from Key Vaults. If this is expected behavior, consider adjusting the rule or adding exceptions for specific user principals or applications.
 54- Some applications may require frequent access to keys or secrets for normal operation, leading to high retrieval counts. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
 55
 56### Response and remediation
 57- Investigate the user principal making the excessive retrieval requests to determine if they are authorized to access the Key Vault and its contents. If the user is not authorized, take appropriate actions to block their access and prevent further unauthorized retrievals.
 58- Review the application or service making the requests to ensure it is legitimate and authorized to access the Key Vault. If the application is unauthorized or suspicious, consider blocking it and revoking its permissions to access the Key Vault.
 59- Assess the impact of the excessive retrieval operations on the Key Vault and its contents. Determine if any sensitive data was accessed or compromised during the retrievals.
 60- Implement additional monitoring and alerting for the Key Vault to detect any further suspicious activity or unauthorized access attempts.
 61- Consider implementing stricter access controls or policies for Key Vaults to limit excessive retrievals and ensure that only authorized users and applications can access sensitive keys and secrets.
 62- Educate users and administrators about the risks associated with excessive retrievals from Key Vaults and encourage them to follow best practices for managing keys and secrets in Azure environments.
 63"""
 64references = ["https://www.inversecos.com/2022/05/detection-and-compromise-azure-key.html"]
 65risk_score = 43
 66rule_id = "75c53838-5dcd-11f0-829c-f661ea17fbcd"
 67setup = """#### Required Azure Key Vault Diagnostic Logs
 68
 69To ensure this rule functions correctly, the following diagnostic logs must be enabled for Azure Key Vault:
 70- AuditEvent: This log captures all read and write operations performed on the Key Vault, including secret, key, and certificate retrievals. These logs should be streamed to the Event Hub used for the Azure integration configuration.
 71"""
 72severity = "medium"
 73tags = [
 74    "Domain: Cloud",
 75    "Domain: Storage",
 76    "Domain: Identity",
 77    "Data Source: Azure",
 78    "Data Source: Azure Platform Logs",
 79    "Data Source: Azure Key Vault",
 80    "Use Case: Threat Detection",
 81    "Use Case: Identity and Access Audit",
 82    "Tactic: Credential Access",
 83    "Resources: Investigation Guide",
 84]
 85timestamp_override = "event.ingested"
 86type = "new_terms"
 87
 88query = '''
 89event.dataset : "azure.platformlogs" and
 90event.outcome: "success" and
 91event.action : (
 92    "VaultGet" or
 93    "KeyGet" or
 94    "KeyList" or
 95    "KeyListVersions" or
 96    "KeyGetDeleted" or
 97    "KeyListDeleted" or
 98    "SecretGet" or
 99    "SecretList" or
100    "SecretListVersions" or
101    "SecretGetDeleted" or
102    "SecretListDeleted" or
103    "CertificateGet" or
104    "CertificateList" or
105    "CertificateListVersions" or
106    "CertificateGetDeleted" or
107    "CertificateListDeleted" or
108    "CertificatePolicyGet" or
109    "CertificateContactsGet" or
110    "CertificateIssuerGet" or
111    "CertificateIssuersList"
112) and azure.platformlogs.identity.claim.upn: * and azure.platformlogs.properties.id: *
113'''
114
115
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118[[rule.threat.technique]]
119id = "T1555"
120name = "Credentials from Password Stores"
121reference = "https://attack.mitre.org/techniques/T1555/"
122[[rule.threat.technique.subtechnique]]
123id = "T1555.006"
124name = "Cloud Secrets Management Stores"
125reference = "https://attack.mitre.org/techniques/T1555/006/"
126
127
128
129[rule.threat.tactic]
130id = "TA0006"
131name = "Credential Access"
132reference = "https://attack.mitre.org/tactics/TA0006/"
133
134[rule.new_terms]
135field = "new_terms_fields"
136value = ["azure.platformlogs.identity.claim.upn","azure.platformlogs.properties.id"]
137
138[[rule.new_terms.history_window_start]]
139field = "history_window_start"
140value = "now-14d"