Azure Storage Account Key Regenerated
Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/19"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or
11Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring
12credentials to access systems and resources.
13"""
14false_positives = [
15 """
16 It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key
17 rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts,
18 or locations should be investigated.
19 """,
20]
21from = "now-25m"
22index = ["filebeat-*", "logs-azure*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Azure Storage Account Key Regenerated"
26note = """## Triage and analysis
27
28> **Disclaimer**:
29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
30
31### Investigating Azure Storage Account Key Regenerated
32
33Azure Storage Account keys are critical credentials that grant access to storage resources. They are often used by applications and services to authenticate and interact with Azure Storage. Adversaries may regenerate these keys to gain unauthorized access, potentially disrupting services or exfiltrating data. The detection rule monitors for key regeneration events, flagging successful operations as potential indicators of credential misuse, thus enabling timely investigation and response.
34
35### Possible investigation steps
36
37- Review the Azure activity logs to identify the specific storage account associated with the key regeneration event by examining the operation_name field for "MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION".
38- Check the event.outcome field to confirm the success of the key regeneration and gather details about the user or service principal that initiated the action.
39- Investigate the user or service principal's recent activities in Azure to determine if there are any other suspicious actions or patterns that could indicate unauthorized access or misuse.
40- Assess the impact on applications and services that rely on the affected storage account key by identifying dependencies and checking for any service disruptions or anomalies.
41- Review access policies and permissions for the storage account to ensure they are appropriately configured and consider implementing additional security measures, such as Azure Key Vault, to manage and rotate keys securely.
42
43### False positive analysis
44
45- Routine key rotation by administrators or automated scripts can trigger alerts. To manage this, identify and document regular key rotation schedules and exclude these events from alerts.
46- Development and testing environments often regenerate keys frequently. Exclude these environments from alerts by filtering based on environment tags or resource names.
47- Third-party integrations or services that require periodic key regeneration might cause false positives. Work with service owners to understand these patterns and create exceptions for known, legitimate services.
48- Azure policies or compliance checks that enforce key rotation can also lead to false positives. Coordinate with compliance teams to align detection rules with policy schedules and exclude these events.
49- Ensure that any automated processes that regenerate keys are logged and documented. Use this documentation to create exceptions for these processes in the detection rule.
50
51### Response and remediation
52
53- Immediately revoke the regenerated storage account keys to prevent unauthorized access. This can be done through the Azure portal or using Azure CLI commands.
54- Identify and update all applications and services that rely on the compromised storage account keys with new, secure keys to restore functionality and prevent service disruption.
55- Conduct a thorough review of access logs and audit trails to identify any unauthorized access or data exfiltration attempts that may have occurred using the regenerated keys.
56- Escalate the incident to the security operations team for further investigation and to determine if additional systems or accounts have been compromised.
57- Implement conditional access policies and multi-factor authentication (MFA) for accessing Azure resources to enhance security and prevent similar incidents.
58- Review and update the storage account's access policies and permissions to ensure that only authorized users and applications have the necessary access.
59- Enhance monitoring and alerting mechanisms to detect future unauthorized key regeneration attempts promptly, ensuring timely response to potential threats.
60
61## Setup
62
63The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = [
65 "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal",
66]
67risk_score = 21
68rule_id = "1e0b832e-957e-43ae-b319-db82d228c908"
69severity = "low"
70tags = [
71 "Domain: Cloud",
72 "Data Source: Azure",
73 "Use Case: Identity and Access Audit",
74 "Tactic: Credential Access",
75 "Resources: Investigation Guide",
76]
77timestamp_override = "event.ingested"
78type = "query"
79
80query = '''
81event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success)
82'''
83
84
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1528"
89name = "Steal Application Access Token"
90reference = "https://attack.mitre.org/techniques/T1528/"
91
92
93[rule.threat.tactic]
94id = "TA0006"
95name = "Credential Access"
96reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Azure Storage Account Key Regenerated
Azure Storage Account keys are critical credentials that grant access to storage resources. They are often used by applications and services to authenticate and interact with Azure Storage. Adversaries may regenerate these keys to gain unauthorized access, potentially disrupting services or exfiltrating data. The detection rule monitors for key regeneration events, flagging successful operations as potential indicators of credential misuse, thus enabling timely investigation and response.
Possible investigation steps
- Review the Azure activity logs to identify the specific storage account associated with the key regeneration event by examining the operation_name field for "MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION".
- Check the event.outcome field to confirm the success of the key regeneration and gather details about the user or service principal that initiated the action.
- Investigate the user or service principal's recent activities in Azure to determine if there are any other suspicious actions or patterns that could indicate unauthorized access or misuse.
- Assess the impact on applications and services that rely on the affected storage account key by identifying dependencies and checking for any service disruptions or anomalies.
- Review access policies and permissions for the storage account to ensure they are appropriately configured and consider implementing additional security measures, such as Azure Key Vault, to manage and rotate keys securely.
False positive analysis
- Routine key rotation by administrators or automated scripts can trigger alerts. To manage this, identify and document regular key rotation schedules and exclude these events from alerts.
- Development and testing environments often regenerate keys frequently. Exclude these environments from alerts by filtering based on environment tags or resource names.
- Third-party integrations or services that require periodic key regeneration might cause false positives. Work with service owners to understand these patterns and create exceptions for known, legitimate services.
- Azure policies or compliance checks that enforce key rotation can also lead to false positives. Coordinate with compliance teams to align detection rules with policy schedules and exclude these events.
- Ensure that any automated processes that regenerate keys are logged and documented. Use this documentation to create exceptions for these processes in the detection rule.
Response and remediation
- Immediately revoke the regenerated storage account keys to prevent unauthorized access. This can be done through the Azure portal or using Azure CLI commands.
- Identify and update all applications and services that rely on the compromised storage account keys with new, secure keys to restore functionality and prevent service disruption.
- Conduct a thorough review of access logs and audit trails to identify any unauthorized access or data exfiltration attempts that may have occurred using the regenerated keys.
- Escalate the incident to the security operations team for further investigation and to determine if additional systems or accounts have been compromised.
- Implement conditional access policies and multi-factor authentication (MFA) for accessing Azure resources to enhance security and prevent similar incidents.
- Review and update the storage account's access policies and permissions to ensure that only authorized users and applications have the necessary access.
- Enhance monitoring and alerting mechanisms to detect future unauthorized key regeneration attempts promptly, ensuring timely response to potential threats.
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Entra MFA TOTP Brute Force Attempts
- Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
- Azure Entra Sign-in Brute Force against Microsoft 365 Accounts
- Entra ID Device Code Auth with Broker Client
- First Occurrence of Entra ID Auth via DeviceCode Protocol