Azure Key Vault Modified
Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/31"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets
11like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to
12key vaults should be secured to allow only authorized applications and users.
13"""
14false_positives = [
15 """
16 Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname,
17 and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or
18 hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
19 """,
20]
21from = "now-25m"
22index = ["filebeat-*", "logs-azure*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Azure Key Vault Modified"
26note = """## Setup
27
28The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30 "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
31 "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault",
32 "https://www.elastic.co/security-labs/detect-credential-access",
33]
34risk_score = 47
35rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec"
36severity = "medium"
37tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access"]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success)
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1552"
50name = "Unsecured Credentials"
51reference = "https://attack.mitre.org/techniques/T1552/"
52[[rule.threat.technique.subtechnique]]
53id = "T1552.001"
54name = "Credentials In Files"
55reference = "https://attack.mitre.org/techniques/T1552/001/"
56
57
58
59[rule.threat.tactic]
60id = "TA0006"
61name = "Credential Access"
62reference = "https://attack.mitre.org/tactics/TA0006/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Learn how Azure Key Vault safeguards cryptographic keys and secrets that cloud applications and services use.
Read More -
-
Elastic Endpoint Security provides events that enable defenders with visibility on techniques and procedures which are commonly leveraged to access sensitive files and registry objects.
Read More
Related rules
- Azure Full Network Packet Capture Detected
- Azure Storage Account Key Regenerated
- AWS EC2 Admin Credential Fetch via Assumed Role
- AWS IAM Brute Force of Assume Role Policy
- AWS IAM User Addition to Group