diff --git a/rules/integrations/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml deleted file mode 100644 index c39fded59..000000000 --- a/rules/integrations/azure/credential_access_key_vault_modified.toml +++ /dev/null @@ -1,98 +0,0 @@ -[metadata] -creation_date = "2020/08/31" -integration = ["azure"] -maturity = "production" -updated_date = "2025/01/15" - -[rule] -author = ["Elastic"] -description = """ -Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets -like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to -key vaults should be secured to allow only authorized applications and users. -""" -false_positives = [ - """ - Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, - and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or - hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - """, -] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] -language = "kuery" -license = "Elastic License v2" -name = "Azure Key Vault Modified" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Azure Key Vault Modified - -Azure Key Vault is a critical service for managing sensitive information like encryption keys and secrets. It ensures that only authorized users and applications can access these resources. However, adversaries may attempt to modify Key Vault settings to gain unauthorized access to credentials. The detection rule monitors for successful write operations to Key Vaults, flagging potential unauthorized modifications that could indicate credential access attempts. - -### Possible investigation steps - -- Review the Azure activity logs to identify the specific user or application that performed the write operation on the Key Vault by examining the user identity and application ID fields. -- Check the timestamp of the write operation to determine if it aligns with expected maintenance windows or known changes, which could indicate legitimate activity. -- Investigate the specific changes made to the Key Vault by reviewing the operation details to understand what was modified, such as access policies or secret values. -- Correlate the activity with other security logs or alerts to identify any related suspicious behavior, such as failed login attempts or unusual access patterns from the same user or application. -- Verify if the user or application that performed the write operation had legitimate access and permissions to modify the Key Vault by reviewing their role assignments and access policies. -- Assess the potential impact of the modification by determining if any sensitive keys or secrets were exposed or altered, and evaluate the risk to the organization. - -### False positive analysis - -- Routine administrative updates to Key Vault configurations by authorized personnel can trigger alerts. To manage this, maintain a list of known administrative accounts and exclude their activities from triggering alerts. -- Automated scripts or applications that regularly update Key Vault settings as part of normal operations may cause false positives. Identify these scripts and whitelist their operations to prevent unnecessary alerts. -- Scheduled maintenance activities that involve updating Key Vault settings can be mistaken for unauthorized modifications. Document these activities and create exceptions for the time frames during which they occur. -- Integration with third-party services that require periodic updates to Key Vault settings might generate alerts. Verify these integrations and exclude their operations if they are deemed secure and necessary. - -### Response and remediation - -- Immediately revoke access to the affected Key Vault for any unauthorized users or applications identified during the investigation to prevent further unauthorized access. -- Rotate all secrets, keys, and certificates stored in the compromised Key Vault to ensure that any potentially exposed credentials are no longer valid. -- Conduct a thorough review of the Key Vault's access policies and permissions to ensure that only authorized users and applications have the necessary access, and implement stricter access controls if needed. -- Enable logging and monitoring for the Key Vault to capture detailed access and modification events, ensuring that any future unauthorized attempts are quickly detected. -- Notify the security team and relevant stakeholders about the incident, providing them with details of the unauthorized modifications and actions taken to remediate the issue. -- If the unauthorized access is suspected to be part of a larger breach, escalate the incident to the incident response team for further investigation and potential involvement of law enforcement if necessary. -- Review and update incident response plans and playbooks to incorporate lessons learned from this incident, ensuring a more effective response to similar threats in the future. - -## Setup - -The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" -references = [ - "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", - "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault", - "https://www.elastic.co/security-labs/detect-credential-access", -] -risk_score = 47 -rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec" -severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique.subtechnique]] -id = "T1552.001" -name = "Credentials In Files" -reference = "https://attack.mitre.org/techniques/T1552/001/" - - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/azure/impact_azure_key_vault_modified.toml b/rules/integrations/azure/impact_azure_key_vault_modified.toml new file mode 100644 index 000000000..b7c2cf638 --- /dev/null +++ b/rules/integrations/azure/impact_azure_key_vault_modified.toml @@ -0,0 +1,95 @@ +[metadata] +creation_date = "2020/08/31" +integration = ["azure"] +maturity = "production" +updated_date = "2025/07/09" + +[rule] +author = ["Elastic"] +description = """ +Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets +like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to +key vaults should be secured to allow only authorized applications and users. This is a New Terms rule that detects when this activity hasn't been seen by the user in a specified time frame. +""" +false_positives = [ + """ + Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, + and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or + hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] +language = "kuery" +license = "Elastic License v2" +name = "Azure Key Vault Modified" +note = """## Triage and analysis + +### Investigating Azure Key Vault Modified + +Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects modifications to Key Vaults, which may indicate potential security incidents or misconfigurations. + +### Possible investigation steps +- Review the `azure.activitylogs.operation_name` field to identify the specific operation performed on the Key Vault. Common operations include `Microsoft.KeyVault/vaults/write` for modifications and `Microsoft.KeyVault/vaults/delete` for deletions. +- Check the `event.outcome` field to confirm the success of the operation. A successful outcome indicates that the modification or deletion was completed. +- Investigate the `azure.activitylogs.identity.principal_id` or `azure.activitylogs.identity.principal_name` fields to determine the user or service principal that performed the operation. This can help identify whether the action was authorized or potentially malicious. +- Analyze the `azure.activitylogs.resource_id` field to identify the specific Key Vault that was modified. This can help assess the impact of the change and whether it affects critical resources or applications. +- Cross-reference the time of the modification with other security events or alerts in the environment to identify any patterns or related activities that may indicate a coordinated attack or misconfiguration. +- Consult with relevant stakeholders or system owners to verify if the modification was planned or expected, and gather additional context if necessary. + +### False positive analysis +- Routine maintenance activities by administrators can trigger alerts when they modify or delete Key Vaults. To manage this, create exceptions for known maintenance windows or specific administrator accounts. +- Automated scripts or tools used for Key Vault management might perform frequent updates or deletions, leading to false positives. Identify these scripts and exclude their operations from triggering alerts by using specific identifiers or tags. +- Changes made by authorized third-party services or integrations that manage Key Vault configurations can also result in false positives. Review and whitelist these services to prevent unnecessary alerts. +- Regular updates or deployments in a development or testing environment may cause alerts. Consider excluding these environments from monitoring or adjusting the rule to focus on production environments only. +- Temporary changes for troubleshooting or testing purposes might be flagged. Document these activities and use temporary exceptions to avoid false positives during these periods. + +### Response and remediation +- Immediately isolate the affected Key Vault to prevent further unauthorized access or changes. +- Review the Azure activity logs to identify the specific operations performed on the Key Vault and their outcomes. +- Collaborate with security teams to assess the impact of the modifications and determine if any sensitive data was compromised. +- If unauthorized changes are confirmed, initiate incident response procedures, including notifying affected parties and conducting a thorough investigation. +- Implement additional monitoring and alerting for the affected Key Vault to detect any further suspicious activity. +""" +references = [ + "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", + "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault", + "https://learn.microsoft.com/en-us/azure/key-vault/general/security-features" +] +risk_score = 21 +rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec" +severity = "low" +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Tactic: Impact", + "Use Case: Configuration Audit", + "Resources: Investigation Guide" +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset: "azure.activitylogs" + and azure.activitylogs.operation_name: MICROSOFT.KEYVAULT/VAULTS/* + and event.outcome:(Success or success) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["azure.activitylogs.identity.claims_initiated_by_user.name"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d"