Azure Storage Account Key Regenerated
Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/19"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or
13Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring
14credentials to access systems and resources.
15"""
16false_positives = [
17 """
18 It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key
19 rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts,
20 or locations should be investigated.
21 """,
22]
23from = "now-25m"
24index = ["filebeat-*", "logs-azure*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Azure Storage Account Key Regenerated"
28note = """## Setup
29
30The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
31references = [
32 "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal",
33]
34risk_score = 21
35rule_id = "1e0b832e-957e-43ae-b319-db82d228c908"
36severity = "low"
37tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success)
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1528"
50name = "Steal Application Access Token"
51reference = "https://attack.mitre.org/techniques/T1528/"
52
53
54[rule.threat.tactic]
55id = "TA0006"
56name = "Credential Access"
57reference = "https://attack.mitre.org/tactics/TA0006/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure AD Global Administrator Role Assigned
- Azure Active Directory High Risk Sign-in
- Azure Active Directory High Risk User Sign-in Heuristic
- Azure Active Directory PowerShell Sign-in
- Azure Application Credential Modification