Rare Subscription-level Operations In Azure
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
Sigma rule (View on GitHub)
1title: Rare Subscription-level Operations In Azure
2id: c1182e02-49a3-481c-b3de-0fadc4091488
3status: test
4description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
5references:
6 - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml
7author: sawwinnnaung
8date: 2020-05-07
9modified: 2023-10-11
10tags:
11 - attack.t1003
12logsource:
13 product: azure
14 service: activitylogs
15detection:
16 keywords:
17 - Microsoft.DocumentDB/databaseAccounts/listKeys/action
18 - Microsoft.Maps/accounts/listKeys/action
19 - Microsoft.Media/mediaservices/listKeys/action
20 - Microsoft.CognitiveServices/accounts/listKeys/action
21 - Microsoft.Storage/storageAccounts/listKeys/action
22 - Microsoft.Compute/snapshots/write
23 - Microsoft.Network/networkSecurityGroups/write
24 condition: keywords
25falsepositives:
26 - Valid change
27level: medium
References
-
Cloud-native SIEM for intelligent security analytics for your entire enterprise. - Azure/Azure-Sentinel
Read More
Related rules
- Access To Crypto Currency Wallets By Uncommon Applications
- Capture Credentials with Rpcping.exe
- Credential Manager Access By Uncommon Applications
- Esentutl Gather Credentials
- HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump