Azure Blob Permissions Modification
Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/09/22"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Austin Songer"]
9description = """
10Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An
11adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may
12inadvertently modify the permissions, which could lead to data exposure or loss.
13"""
14false_positives = [
15 """
16 Blob permissions may be modified by system administrators. Verify that the configuration change was expected.
17 Exceptions can be added to this rule to filter expected behavior.
18 """,
19]
20index = ["filebeat-*", "logs-azure*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Azure Blob Permissions Modification"
24note = """## Setup
25
26The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles"]
28risk_score = 47
29rule_id = "d79c4b2a-6134-4edd-86e6-564a92a933f9"
30severity = "medium"
31tags = [
32 "Domain: Cloud",
33 "Data Source: Azure",
34 "Use Case: Identity and Access Audit",
35 "Tactic: Defense Evasion",
36 "Data Source: Elastic Defend",
37]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(
43 "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION" or
44 "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION") and
45 event.outcome:(Success or success)
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1222"
53name = "File and Directory Permissions Modification"
54reference = "https://attack.mitre.org/techniques/T1222/"
55
56
57[rule.threat.tactic]
58id = "TA0005"
59name = "Defense Evasion"
60reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
This article describes the Azure built-in roles for Azure role-based access control (Azure RBAC). It lists Actions, NotActions, DataActions, and NotDataActions.
Read More
Related rules
- Azure Application Credential Modification
- Azure Service Principal Addition
- AWS SAML Activity
- Azure AD Global Administrator Role Assigned
- Azure Active Directory High Risk Sign-in