Azure Key Vault Modified

 1[metadata]
 2creation_date = "2020/08/31"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets
11like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to
12key vaults should be secured to allow only authorized applications and users.
13"""
14false_positives = [
15    """
16    Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname,
17    and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or
18    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
19    """,
20]
21from = "now-25m"
22index = ["filebeat-*", "logs-azure*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Azure Key Vault Modified"
26note = """## Triage and analysis
27
28> **Disclaimer**:
29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
30
31### Investigating Azure Key Vault Modified
32
33Azure Key Vault is a critical service for managing sensitive information like encryption keys and secrets. It ensures that only authorized users and applications can access these resources. However, adversaries may attempt to modify Key Vault settings to gain unauthorized access to credentials. The detection rule monitors for successful write operations to Key Vaults, flagging potential unauthorized modifications that could indicate credential access attempts.
34
35### Possible investigation steps
36
37- Review the Azure activity logs to identify the specific user or application that performed the write operation on the Key Vault by examining the user identity and application ID fields.
38- Check the timestamp of the write operation to determine if it aligns with expected maintenance windows or known changes, which could indicate legitimate activity.
39- Investigate the specific changes made to the Key Vault by reviewing the operation details to understand what was modified, such as access policies or secret values.
40- Correlate the activity with other security logs or alerts to identify any related suspicious behavior, such as failed login attempts or unusual access patterns from the same user or application.
41- Verify if the user or application that performed the write operation had legitimate access and permissions to modify the Key Vault by reviewing their role assignments and access policies.
42- Assess the potential impact of the modification by determining if any sensitive keys or secrets were exposed or altered, and evaluate the risk to the organization.
43
44### False positive analysis
45
46- Routine administrative updates to Key Vault configurations by authorized personnel can trigger alerts. To manage this, maintain a list of known administrative accounts and exclude their activities from triggering alerts.
47- Automated scripts or applications that regularly update Key Vault settings as part of normal operations may cause false positives. Identify these scripts and whitelist their operations to prevent unnecessary alerts.
48- Scheduled maintenance activities that involve updating Key Vault settings can be mistaken for unauthorized modifications. Document these activities and create exceptions for the time frames during which they occur.
49- Integration with third-party services that require periodic updates to Key Vault settings might generate alerts. Verify these integrations and exclude their operations if they are deemed secure and necessary.
50
51### Response and remediation
52
53- Immediately revoke access to the affected Key Vault for any unauthorized users or applications identified during the investigation to prevent further unauthorized access.
54- Rotate all secrets, keys, and certificates stored in the compromised Key Vault to ensure that any potentially exposed credentials are no longer valid.
55- Conduct a thorough review of the Key Vault's access policies and permissions to ensure that only authorized users and applications have the necessary access, and implement stricter access controls if needed.
56- Enable logging and monitoring for the Key Vault to capture detailed access and modification events, ensuring that any future unauthorized attempts are quickly detected.
57- Notify the security team and relevant stakeholders about the incident, providing them with details of the unauthorized modifications and actions taken to remediate the issue.
58- If the unauthorized access is suspected to be part of a larger breach, escalate the incident to the incident response team for further investigation and potential involvement of law enforcement if necessary.
59- Review and update incident response plans and playbooks to incorporate lessons learned from this incident, ensuring a more effective response to similar threats in the future.
60
61## Setup
62
63The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = [
65    "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
66    "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault",
67    "https://www.elastic.co/security-labs/detect-credential-access",
68]
69risk_score = 47
70rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec"
71severity = "medium"
72tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access", "Resources: Investigation Guide"]
73timestamp_override = "event.ingested"
74type = "query"
75
76query = '''
77event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success)
78'''
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1552"
85name = "Unsecured Credentials"
86reference = "https://attack.mitre.org/techniques/T1552/"
87[[rule.threat.technique.subtechnique]]
88id = "T1552.001"
89name = "Credentials In Files"
90reference = "https://attack.mitre.org/techniques/T1552/001/"
91
92
93
94[rule.threat.tactic]
95id = "TA0006"
96name = "Credential Access"
97reference = "https://attack.mitre.org/tactics/TA0006/"