Azure Storage Account Key Regenerated
Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/19"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or
11Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring
12credentials to access systems and resources.
13"""
14false_positives = [
15 """
16 It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key
17 rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts,
18 or locations should be investigated.
19 """,
20]
21from = "now-25m"
22index = ["filebeat-*", "logs-azure*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Azure Storage Account Key Regenerated"
26note = """## Setup
27
28The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30 "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal",
31]
32risk_score = 21
33rule_id = "1e0b832e-957e-43ae-b319-db82d228c908"
34severity = "low"
35tags = [
36 "Domain: Cloud",
37 "Data Source: Azure",
38 "Use Case: Identity and Access Audit",
39 "Tactic: Credential Access",
40]
41timestamp_override = "event.ingested"
42type = "query"
43
44query = '''
45event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success)
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1528"
53name = "Steal Application Access Token"
54reference = "https://attack.mitre.org/techniques/T1528/"
55
56
57[rule.threat.tactic]
58id = "TA0006"
59name = "Credential Access"
60reference = "https://attack.mitre.org/tactics/TA0006/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS EC2 Admin Credential Fetch via Assumed Role
- AWS IAM Brute Force of Assume Role Policy
- AWS IAM User Addition to Group
- AWS Management Console Brute Force of Root User Identity
- Azure AD Global Administrator Role Assigned