security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Azure Blob Container Access Level Modification (#192)

Browse Source 
* Create discovery_blob_container_access_mod.toml

* Update rules/azure/discovery_blob_container_access_mod.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* lint

* Update rules/azure/discovery_blob_container_access_mod.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
This commit is contained in:
Brent Murphy
2020-09-04 10:48:21 -04:00
committed by GitHub
parent 6d3955bd8a
commit e49b69af10
1 changed files with 63 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/azure/discovery_blob_container_access_mod.toml
+63
View File
@@ -0,0 +1,63 @@
[metadata]
creation_date = "2020/08/20"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/20"
[rule]
author = ["Elastic"]
description = """
Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is
a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.
"""
false_positives = [
"""
Access level modifications may be done by a system or network administrator. Verify whether the username, hostname,
and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users
or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-25m"
index = ["filebeat-*"]
language = "kuery"
license = "Elastic License"
name = "Azure Blob Container Access Level Modification"
note = "The Azure Filebeat module must be enabled to use this rule."
references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"]
risk_score = 21
rule_id = "2636aa6c-88b5-4337-9c31-8d0192a8ef45"
severity = "low"
tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Asset Visibility"]
type = "query"
query = '''
event.module:azure and event.dataset:azure.activitylogs and event.category:Administrative and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and event.outcome:Success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1526"
name = "Cloud Service Discovery"
reference = "https://attack.mitre.org/techniques/T1526/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"