security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Azure Event Hub Authorization Rule Created or Updated (#173)

Browse Source 
* Create collection_update_event_hub_auth_rule.toml

* Update rules/azure/collection_update_event_hub_auth_rule.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/collection_update_event_hub_auth_rule.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Brent Murphy
2020-09-04 09:32:30 -04:00
committed by GitHub
parent 0ac7f3d672
commit a49d102de3
1 changed files with 66 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/azure/collection_update_event_hub_auth_rule.toml
+66
View File
@@ -0,0 +1,66 @@
[metadata]
creation_date = "2020/08/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/18"
[rule]
author = ["Elastic"]
description = """
Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with
specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named
RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's
recommended that you treat this rule like an administrative root account and don't use it in your application.
"""
false_positives = [
"""
Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the
username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions
or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false
positives, it can be exempted from the rule.
""",
]
from = "now-25m"
index = ["filebeat-*"]
language = "kuery"
license = "Elastic License"
name = "Azure Event Hub Authorization Rule Created or Updated"
note = "The Azure Filebeat module must be enabled to use this rule."
references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"]
risk_score = 47
rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d"
severity = "medium"
tags = ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Logging"]
type = "query"
query = '''
event.module:azure and event.dataset:azure.activitylogs and event.category:Administrative and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:Success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage Object"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1537"
name = "Transfer Data to Cloud Account"
reference = "https://attack.mitre.org/techniques/T1537/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"