Azure Key Vault Modified

Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/31"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets
11like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to
12key vaults should be secured to allow only authorized applications and users.
13"""
14false_positives = [
15    """
16    Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname,
17    and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or
18    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
19    """,
20]
21from = "now-25m"
22index = ["filebeat-*", "logs-azure*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Azure Key Vault Modified"
26note = """## Setup
27
28The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30    "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
31    "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault",
32    "https://www.elastic.co/security-labs/detect-credential-access",
33]
34risk_score = 47
35rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec"
36severity = "medium"
37tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access"]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success)
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1552"
50name = "Unsecured Credentials"
51reference = "https://attack.mitre.org/techniques/T1552/"
52[[rule.threat.technique.subtechnique]]
53id = "T1552.001"
54name = "Credentials In Files"
55reference = "https://attack.mitre.org/techniques/T1552/001/"
56
57
58
59[rule.threat.tactic]
60id = "TA0006"
61name = "Credential Access"
62reference = "https://attack.mitre.org/tactics/TA0006/"

Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top