Azure Storage Account Key Regenerated

calendar Jun 22, 2023 · Domain: Cloud Data Source: Azure Use Case: Identity and Access Audit Tactic: Credential Access  ·
Share on: linkedin copy

Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/19"
 3integration = ["azure"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or
13Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring
14credentials to access systems and resources.
15"""
16false_positives = [
17    """
18    It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key
19    rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts,
20    or locations should be investigated.
21    """,
22]
23from = "now-25m"
24index = ["filebeat-*", "logs-azure*"]
25language = "kuery"
26license = "Elastic License v2"
27name = "Azure Storage Account Key Regenerated"
28note = """## Setup
29
30The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
31references = [
32    "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal",
33]
34risk_score = 21
35rule_id = "1e0b832e-957e-43ae-b319-db82d228c908"
36severity = "low"
37tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success)
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1528"
50name = "Steal Application Access Token"
51reference = "https://attack.mitre.org/techniques/T1528/"
52
53
54[rule.threat.tactic]
55id = "TA0006"
56name = "Credential Access"
57reference = "https://attack.mitre.org/tactics/TA0006/"

Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top