security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dfef597794d4daf07eb4e8ebccd78bb64db930d4
sigma-rules/rules/integrations/azure/credential_access_key_vault_modified.toml
T
Mika Ayenson a52751494e 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
2022-07-18 15:41:32 -04:00

63 lines
2.1 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/08/31"
maturity = "production"
updated_date = "2021/07/20"
integration = "azure"
[rule]
author = ["Elastic"]
description = """
Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets
like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to
key vaults should be secured to allow only authorized applications and users.
"""
false_positives = [
"""
Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname,
and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or
hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-25m"
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure Key Vault Modified"
note = """## Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
"https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault",
]
risk_score = 47
rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec"
severity = "medium"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Data Protection"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
name = "Credentials In Files"
reference = "https://attack.mitre.org/techniques/T1552/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
Reference in New Issue View Git Blame Copy Permalink