diff --git a/rules/azure/discovery_blob_container_access_mod.toml b/rules/azure/discovery_blob_container_access_mod.toml new file mode 100644 index 000000000..6b6164c26 --- /dev/null +++ b/rules/azure/discovery_blob_container_access_mod.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2020/08/20" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/08/20" + +[rule] +author = ["Elastic"] +description = """ +Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is +a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously. +""" +false_positives = [ + """ + Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, + and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users + or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-25m" +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "Azure Blob Container Access Level Modification" +note = "The Azure Filebeat module must be enabled to use this rule." +references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"] +risk_score = 21 +rule_id = "2636aa6c-88b5-4337-9c31-8d0192a8ef45" +severity = "low" +tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Asset Visibility"] +type = "query" + +query = ''' +event.module:azure and event.dataset:azure.activitylogs and event.category:Administrative and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and event.outcome:Success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/"