Azure Blob Permissions Modification

Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/09/22"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An
11adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may
12inadvertently modify the permissions, which could lead to data exposure or loss.
13"""
14false_positives = [
15    """
16    Blob permissions may be modified by system administrators. Verify that the configuration change was expected.
17    Exceptions can be added to this rule to filter expected behavior.
18    """,
19]
20index = ["filebeat-*", "logs-azure*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Azure Blob Permissions Modification"
24note = """## Setup
25
26The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles"]
28risk_score = 47
29rule_id = "d79c4b2a-6134-4edd-86e6-564a92a933f9"
30severity = "medium"
31tags = [
32    "Domain: Cloud",
33    "Data Source: Azure",
34    "Use Case: Identity and Access Audit",
35    "Tactic: Defense Evasion",
36    "Data Source: Elastic Defend",
37]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(
43     "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION" or
44     "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION") and
45  event.outcome:(Success or success)
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1222"
53name = "File and Directory Permissions Modification"
54reference = "https://attack.mitre.org/techniques/T1222/"
55
56
57[rule.threat.tactic]
58id = "TA0005"
59name = "Defense Evasion"
60reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top