security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Azure Key Vault Modified (#230)

Browse Source 
* [New Rule] Azure Update to Key Vault

* Update rules/azure/credential_access_key_vault_update.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_key_vault_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Brent Murphy
2020-09-04 11:30:01 -04:00
committed by GitHub
parent 70cc7fd112
commit 0fc78b3c3b
1 changed files with 54 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/azure/credential_access_key_vault_modified.toml
+54
View File
@@ -0,0 +1,54 @@
[metadata]
creation_date = "2020/08/31"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/31"
[rule]
author = ["Elastic"]
description = """
Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets
like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to
key vaults should be secured to allow only authorized applications and users.
"""
false_positives = [
"""
Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname,
and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or
hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-25m"
index = ["filebeat-*"]
language = "kuery"
license = "Elastic License"
name = "Azure Key Vault Modified"
note = "The Azure Filebeat module must be enabled to use this rule."
references = [
"https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
"https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault",
]
risk_score = 47
rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec"
severity = "medium"
tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Data Protection"]
type = "query"
query = '''
event.module:azure and event.dataset:azure.activitylogs and event.category:Administrative and azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and event.outcome:Success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1081"
name = "Credentials in Files"
reference = "https://attack.mitre.org/techniques/T1081/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"