Azure Key Vault Modified
Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/31"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets
13like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to
14key vaults should be secured to allow only authorized applications and users.
15"""
16false_positives = [
17 """
18 Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname,
19 and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or
20 hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
21 """,
22]
23from = "now-25m"
24index = ["filebeat-*", "logs-azure*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Azure Key Vault Modified"
28note = """## Setup
29
30The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
31references = [
32 "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
33 "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault",
34 "https://www.elastic.co/security-labs/detect-credential-access",
35]
36risk_score = 47
37rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec"
38severity = "medium"
39tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access"]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success)
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1552"
52name = "Unsecured Credentials"
53reference = "https://attack.mitre.org/techniques/T1552/"
54[[rule.threat.technique.subtechnique]]
55id = "T1552.001"
56name = "Credentials In Files"
57reference = "https://attack.mitre.org/techniques/T1552/001/"
58
59
60
61[rule.threat.tactic]
62id = "TA0006"
63name = "Credential Access"
64reference = "https://attack.mitre.org/tactics/TA0006/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Learn how Azure Key Vault safeguards cryptographic keys and secrets that cloud applications and services use.
Read More -
-
Elastic Endpoint Security provides events that enable defenders with visibility on techniques and procedures which are commonly leveraged to access sensitive files and registry objects.
Read More
Related rules
- Azure Storage Account Key Regenerated
- Azure AD Global Administrator Role Assigned
- Azure Active Directory High Risk Sign-in
- Azure Active Directory High Risk User Sign-in Heuristic
- Azure Active Directory PowerShell Sign-in