frack113
26 lines
936 B
YAML
26 lines
936 B
YAML
title: Rare Subscription-level Operations In Azure
|
|
id: c1182e02-49a3-481c-b3de-0fadc4091488
|
|
status: experimental
|
|
author: sawwinnnaung
|
|
date: 2020/05/07
|
|
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
|
|
references:
|
|
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml
|
|
logsource:
|
|
service: AzureActivity
|
|
detection:
|
|
keywords:
|
|
- Microsoft.DocumentDB/databaseAccounts/listKeys/action
|
|
- Microsoft.Maps/accounts/listKeys/action
|
|
- Microsoft.Media/mediaservices/listKeys/action
|
|
- Microsoft.CognitiveServices/accounts/listKeys/action
|
|
- Microsoft.Storage/storageAccounts/listKeys/action
|
|
- Microsoft.Compute/snapshots/write
|
|
- Microsoft.Network/networkSecurityGroups/write
|
|
condition: keywords
|
|
level: medium
|
|
falsepositives:
|
|
- Valid change
|
|
tags:
|
|
- attack.t1003
|