[Rule Tuning] CWP Rule Review and Tuning (Azure)

[terrancedejesus]

Link to rule

Azure Integration Rules

Rule Review/Tuning

The following rules are older than 90 days and could use review/tuning.

• [ ] - Azure Kubernetes Rolebindings Created
• [x] - Azure Active Directory High Risk User Sign-in Heuristic
• [ ] - Azure Kubernetes Pods Deleted
• [x] - Azure Automation Account Created
• [x] - Azure Event Hub Authorization Rule Created or Updated
• [x] - Azure Privilege Identity Management Role Modified
• [x] - Azure Automation Runbook Created or Modified
• [x] - Azure Active Directory High Risk Sign-in
• [x] - Azure Blob Permissions Modification
• [x] - Azure Automation Webhook Created
• [x] - Azure Command Execution on Virtual Machine
• [x] - User Added as Owner for Azure Application
• [x] - Azure Event Hub Deletion
• [x] - Azure Automation Runbook Deleted
• [x] - User Added as Owner for Azure Service Principal
• [x] - Multi-Factor Authentication Disabled for an Azure User
• [x] - Possible Consent Grant Attack via Azure-Registered Application
• [x] - Azure Storage Account Key Regenerated

New Rules

The following rules were added for Azure to help with additional coverage to Active Directory.

Potential - May be 8.4 for new rules

• Azure DevOps Audit Stream Disabled
• Azure AD Role Management Permission Grant
• Azure DevOps Personal Access Token (PAT) misuse
• Azure DevOps Agent Pool Created Then Deleted
• Azure Portal Signin from another Azure Tenant
• Azure Active Directory Hybrid Health AD FS New Server
• Azure DevOps Variable Secret Not Secured

Pre-Existing PRs

• [ ] https://github.com/elastic/detection-rules/issues/1630

Review

Reviewing each rule requires the following to ensure it meets expectations.

• No excessive volume in telemetry
• All query fields used are valid and have not been changed
• Simulation achieved and alert triggered
• Potential False-Positives (FP) addressed if necessary

[terrancedejesus]

Azure Storage Account Key Regenerated

• Alert still generates if keys are regenerated both primary and secondary.
• No potential to tune as regenerating keys is best security practice

Example Document

{ "_index": ".internal.alerts-security.alerts-default-000001", "_id": "b4a8fe5cfa0668827f67dacaa7db360a9e559082823a4483c95a70dd3397dbef", "_score": 1, "_source": { "kibana.version": "8.1.2", "kibana.alert.rule.category": "Custom Query Rule", "kibana.alert.rule.consumer": "siem", "kibana.alert.rule.execution.uuid": "2adb5ec4-74f1-4e7d-a572-8cfa4210a10b", "kibana.alert.rule.name": "Azure Storage Account Key Regenerated", "kibana.alert.rule.producer": "siem", "kibana.alert.rule.rule_type_id": "siem.queryRule", "kibana.alert.rule.uuid": "47b5cb8c-c017-11ec-bad2-73c81bfd40d7", "kibana.space_ids": [ "default" ], "kibana.alert.rule.tags": [ "Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access" ], "@timestamp": "2022-04-25T17:01:10.268Z", "agent": { "name": "ubuntu-dejesus", "id": "48b9000b-ae10-4051-80eb-04462c388ac7", "type": "filebeat", "ephemeral_id": "110f6857-6e93-48ff-93fd-2b8cd37649b8", "version": "8.1.2" }, "log": { "level": "Information" }, "elastic_agent": { "id": "48b9000b-ae10-4051-80eb-04462c388ac7", "version": "8.1.2", "snapshot": false }, "source": { "geo": { "continent_name": "North America", "region_iso_code": "US-OH", "city_name": "North Canton", "country_iso_code": "US", "country_name": "United States", "region_name": "Ohio", "location": { "lon": -81.3798, "lat": 40.7961 } }, "as": { "number": 10796, "organization": { "name": "TWC-10796-MIDWEST" } }, "ip": "173.88.215.85" }, "azure-eventhub": { "sequence_number": 25, "consumer_group": "$Default", "offset": 199288, "eventhub": "elastic", "enqueued_time": "2022-04-25T16:56:33.823Z" }, "tags": [ "preserve_original_event", "azure-activitylogs", "forwarded" ], "cloud": { "availability_zone": "us-east1-b", "instance": { "name": "ubuntu-dejesus", "id": "8722555630420520528" }, "provider": "azure", "service": { "name": "GCE" }, "machine": { "type": "e2-medium" }, "project": { "id": "elastic-security-dev" }, "account": { "id": "elastic-security-dev" } }, "geo": { "continent_name": "North America", "region_iso_code": "US-OH", "city_name": "North Canton", "country_iso_code": "US", "country_name": "United States", "region_name": "Ohio", "location": { "lon": -81.3798, "lat": 40.7961 } }, "input": { "type": "azure-eventhub" }, "ecs": { "version": "8.0.0" }, "related": { "ip": [ "173.88.215.85" ], "user": [ "terdeje50" ] }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "azure.activitylogs" }, "client": { "ip": "173.88.215.85" }, "user": { "full_name": "Terrance DeJesus", "domain": "gmail.com", "name": "terdeje50", "email": "live.com#terdeje50@gmail.com" }, "azure": { "subscription_id": "1E38443A-424B-4211-9A1B-CB3CB31837AE", "resource": { "provider": "MICROSOFT.STORAGE/STORAGEACCOUNTS", "name": "ELASTICSIEMDEV", "id": "/SUBSCRIPTIONS/1E38443A-424B-4211-9A1B-CB3CB31837AE/RESOURCEGROUPS/ELASTIC/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/ELASTICSIEMDEV", "group": "ELASTIC" }, "correlation_id": "4d822e82-853f-4070-bf09-84f3b07299f0", "activitylogs": { "tenant_id": "645b56f5-ed4e-473f-9a11-eaf15182f822", "operation_name": "MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION", "result_type": "Success", "identity": { "authorization": { "evidence": { "role_definition_id": "8e3af657a8ff443ca75c2fe8c4bcb635", "role": "Owner", "role_assignment_scope": "/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae", "role_assignment_id": "65ead8cf4d62441d957bbb4edbab6557", "principal_type": "User", "principal_id": "c56025eb5264485fa6cfab18ce9fb82c" }, "scope": "/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae/resourceGroups/Elastic/providers/Microsoft.Storage/storageAccounts/elasticsiemdev", "action": "Microsoft.Storage/storageAccounts/regenerateKey/action" }, "claims": { "xms_tcdt": "1637951977", "aio": "AWQAm/8TAAAAvdXbJ2naFX3HJJWHxv95JOmpvc+X8Xd+b4NfUyolJoT2HL8nDg1NRi03mZmKc8QGRdhdrKl2e+DJrF14P1QTIbkLHjfz71zNZSD4UCQCw6Z1HKg4E/oLgme+KkEIBoZ6", "iss": "https://sts.windows.net/645b56f5-ed4e-473f-9a11-eaf15182f822/", "altsecid": "1:live.com:0003BFFDD2998177", "http://schemas_microsoft_com/identity/claims/identityprovider": "live.com", "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/nameidentifier": "M5IA0ObVXevkSJYhxjGSnmjUPnxo1Wrp3KXPKnVr6gY", "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/surname": "DeJesus", "http://schemas_microsoft_com/identity/claims/scope": "user_impersonation", "http://schemas_microsoft_com/identity/claims/tenantid": "645b56f5-ed4e-473f-9a11-eaf15182f822", "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/emailaddress": "terdeje50@gmail.com", "puid": "10032001B147E364", "wids": "62e90394-69f5-4237-9190-012177145e10", "http://schemas_microsoft_com/claims/authnclassreference": "1", "exp": "1650907034", "ipaddr": "173.88.215.85", "iat": "1650901884", "http://schemas_microsoft_com/identity/claims/objectidentifier": "c56025eb-5264-485f-a6cf-ab18ce9fb82c", "http://schemas_microsoft_com/claims/authnmethodsreferences": "pwd,mfa", "ver": "1.0", "groups": "2e66d2e9-d908-48b2-b321-a0af00c7853f", "uti": "2BIy_siUSUSY-nbHc9rzAA", "aud": "https://management.core.windows.net/", "nbf": "1650901884", "appidacr": "2", "rh": "0.AUYA9VZbZE7tP0eaEerxUYL4IkZIf3kAutdPukPawfj2MBOAAOo.", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/givenname": "Terrance", "http://schemas_xmlsoap_org/ws/2005/05/identity/claims/name": "live.com#terdeje50@gmail.com" }, "claims_initiated_by_user": { "schema": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", "surname": "DeJesus", "givenname": "Terrance", "name": "live.com#terdeje50@gmail.com", "fullname": "Terrance DeJesus" } }, "event_category": "Administrative", "result_signature": "Succeeded.OK", "category": "Administrative", "RoleLocation": "North Central US", "properties": { "status_code": "OK", "hierarchy": "1e38443a-424b-4211-9a1b-cb3cb31837ae", "message": "Microsoft.Storage/storageAccounts/regenerateKey/action", "entity": "/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae/resourceGroups/Elastic/providers/Microsoft.Storage/storageAccounts/elasticsiemdev" }, "ReleaseVersion": "6.2022.14.12+8b4f786ea76cf7782d17f26181c74ea04f475986.release_2022w14" } }, "event.duration": "470", "event.agent_id_status": "verified", "event.ingested": "2022-04-25T16:56:35Z", "event.original": "{\"ReleaseVersion\":\"6.2022.14.12+8b4f786ea76cf7782d17f26181c74ea04f475986.release_2022w14\",\"RoleLocation\":\"North Central US\",\"callerIpAddress\":\"173.88.215.85\",\"category\":\"Administrative\",\"correlationId\":\"4d822e82-853f-4070-bf09-84f3b07299f0\",\"durationMs\":\"470\",\"identity\":{\"authorization\":{\"action\":\"Microsoft.Storage/storageAccounts/regenerateKey/action\",\"evidence\":{\"principalId\":\"c56025eb5264485fa6cfab18ce9fb82c\",\"principalType\":\"User\",\"role\":\"Owner\",\"roleAssignmentId\":\"65ead8cf4d62441d957bbb4edbab6557\",\"roleAssignmentScope\":\"/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae\",\"roleDefinitionId\":\"8e3af657a8ff443ca75c2fe8c4bcb635\"},\"scope\":\"/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae/resourceGroups/Elastic/providers/Microsoft.Storage/storageAccounts/elasticsiemdev\"},\"claims\":{\"aio\":\"AWQAm/8TAAAAvdXbJ2naFX3HJJWHxv95JOmpvc+X8Xd+b4NfUyolJoT2HL8nDg1NRi03mZmKc8QGRdhdrKl2e+DJrF14P1QTIbkLHjfz71zNZSD4UCQCw6Z1HKg4E/oLgme+KkEIBoZ6\",\"altsecid\":\"1:live.com:0003BFFDD2998177\",\"appid\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"appidacr\":\"2\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1650907034\",\"groups\":\"2e66d2e9-d908-48b2-b321-a0af00c7853f\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd,mfa\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"live.com\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"c56025eb-5264-485f-a6cf-ab18ce9fb82c\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"645b56f5-ed4e-473f-9a11-eaf15182f822\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"terdeje50@gmail.com\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"Terrance\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\"live.com#terdeje50@gmail.com\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"M5IA0ObVXevkSJYhxjGSnmjUPnxo1Wrp3KXPKnVr6gY\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"DeJesus\",\"iat\":\"1650901884\",\"ipaddr\":\"173.88.215.85\",\"iss\":\"https://sts.windows.net/645b56f5-ed4e-473f-9a11-eaf15182f822/\",\"name\":\"Terrance DeJesus\",\"nbf\":\"1650901884\",\"puid\":\"10032001B147E364\",\"rh\":\"0.AUYA9VZbZE7tP0eaEerxUYL4IkZIf3kAutdPukPawfj2MBOAAOo.\",\"uti\":\"2BIy_siUSUSY-nbHc9rzAA\",\"ver\":\"1.0\",\"wids\":\"62e90394-69f5-4237-9190-012177145e10\",\"xms_tcdt\":\"1637951977\"}},\"level\":\"Information\",\"operationName\":\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\",\"properties\":{\"entity\":\"/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae/resourceGroups/Elastic/providers/Microsoft.Storage/storageAccounts/elasticsiemdev\",\"eventCategory\":\"Administrative\",\"hierarchy\":\"1e38443a-424b-4211-9a1b-cb3cb31837ae\",\"message\":\"Microsoft.Storage/storageAccounts/regenerateKey/action\",\"serviceRequestId\":null,\"statusCode\":\"OK\"},\"resourceId\":\"/SUBSCRIPTIONS/1E38443A-424B-4211-9A1B-CB3CB31837AE/RESOURCEGROUPS/ELASTIC/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/ELASTICSIEMDEV\",\"resultSignature\":\"Succeeded.OK\",\"resultType\":\"Success\",\"tenantId\":\"645b56f5-ed4e-473f-9a11-eaf15182f822\",\"time\":\"2022-04-25T16:51:29.8351941Z\"}", "event.kind": "signal", "event.action": "MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION", "event.dataset": "azure.activitylogs", "event.outcome": "success", "event.module": "azure", "kibana.alert.ancestors": [ { "id": "KeunYYABKGBqBq6CSTHJ", "type": "event", "index": ".ds-logs-azure.activitylogs-default-2022.04.25-000001", "depth": 0 } ], "kibana.alert.status": "active", "kibana.alert.workflow_status": "open", "kibana.alert.depth": 1, "kibana.alert.reason": "event by terdeje50 created low alert Azure Storage Account Key Regenerated.", "kibana.alert.severity": "low", "kibana.alert.risk_score": 21, "kibana.alert.rule.parameters": { "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.", "risk_score": 21, "severity": "low", "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "license": "Elastic License v2", "timestamp_override": "event.ingested", "author": [ "Elastic" ], "false_positives": [ "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated." ], "from": "now-25m", "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908", "max_signals": 100, "risk_score_mapping": [], "severity_mapping": [], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "reference": "https://attack.mitre.org/tactics/TA0006/", "name": "Credential Access", "id": "TA0006" }, "technique": [ { "reference": "https://attack.mitre.org/techniques/T1528/", "name": "Steal Application Access Token", "id": "T1528" } ] } ], "to": "now", "references": [ "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal" ], "version": 5, "exceptions_list": [], "immutable": true, "type": "query", "language": "kuery", "index": [ "filebeat-*", "logs-azure*" ], "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)\n" }, "kibana.alert.rule.actions": [], "kibana.alert.rule.created_at": "2022-04-19T19:31:17.147Z", "kibana.alert.rule.created_by": "4220331459", "kibana.alert.rule.enabled": true, "kibana.alert.rule.interval": "5m", "kibana.alert.rule.updated_at": "2022-04-21T16:09:51.024Z", "kibana.alert.rule.updated_by": "4220331459", "kibana.alert.rule.type": "query", "kibana.alert.rule.description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.", "kibana.alert.rule.risk_score": 21, "kibana.alert.rule.severity": "low", "kibana.alert.rule.note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "kibana.alert.rule.license": "Elastic License v2", "kibana.alert.rule.timestamp_override": "event.ingested", "kibana.alert.rule.author": [ "Elastic" ], "kibana.alert.rule.false_positives": [ "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated." ], "kibana.alert.rule.from": "now-25m", "kibana.alert.rule.rule_id": "1e0b832e-957e-43ae-b319-db82d228c908", "kibana.alert.rule.max_signals": 100, "kibana.alert.rule.risk_score_mapping": [], "kibana.alert.rule.severity_mapping": [], "kibana.alert.rule.threat": [ { "framework": "MITRE ATT&CK", "tactic": { "reference": "https://attack.mitre.org/tactics/TA0006/", "name": "Credential Access", "id": "TA0006" }, "technique": [ { "reference": "https://attack.mitre.org/techniques/T1528/", "name": "Steal Application Access Token", "id": "T1528" } ] } ], "kibana.alert.rule.to": "now", "kibana.alert.rule.references": [ "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal" ], "kibana.alert.rule.version": 5, "kibana.alert.rule.exceptions_list": [], "kibana.alert.rule.immutable": true, "kibana.alert.original_time": "2022-04-25T16:51:29.835Z", "kibana.alert.original_event.duration": "470", "kibana.alert.original_event.agent_id_status": "verified", "kibana.alert.original_event.ingested": "2022-04-25T16:56:35Z", "kibana.alert.original_event.original": "{\"ReleaseVersion\":\"6.2022.14.12+8b4f786ea76cf7782d17f26181c74ea04f475986.release_2022w14\",\"RoleLocation\":\"North Central US\",\"callerIpAddress\":\"173.88.215.85\",\"category\":\"Administrative\",\"correlationId\":\"4d822e82-853f-4070-bf09-84f3b07299f0\",\"durationMs\":\"470\",\"identity\":{\"authorization\":{\"action\":\"Microsoft.Storage/storageAccounts/regenerateKey/action\",\"evidence\":{\"principalId\":\"c56025eb5264485fa6cfab18ce9fb82c\",\"principalType\":\"User\",\"role\":\"Owner\",\"roleAssignmentId\":\"65ead8cf4d62441d957bbb4edbab6557\",\"roleAssignmentScope\":\"/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae\",\"roleDefinitionId\":\"8e3af657a8ff443ca75c2fe8c4bcb635\"},\"scope\":\"/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae/resourceGroups/Elastic/providers/Microsoft.Storage/storageAccounts/elasticsiemdev\"},\"claims\":{\"aio\":\"AWQAm/8TAAAAvdXbJ2naFX3HJJWHxv95JOmpvc+X8Xd+b4NfUyolJoT2HL8nDg1NRi03mZmKc8QGRdhdrKl2e+DJrF14P1QTIbkLHjfz71zNZSD4UCQCw6Z1HKg4E/oLgme+KkEIBoZ6\",\"altsecid\":\"1:live.com:0003BFFDD2998177\",\"appid\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"appidacr\":\"2\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1650907034\",\"groups\":\"2e66d2e9-d908-48b2-b321-a0af00c7853f\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd,mfa\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"live.com\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"c56025eb-5264-485f-a6cf-ab18ce9fb82c\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"645b56f5-ed4e-473f-9a11-eaf15182f822\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"terdeje50@gmail.com\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"Terrance\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\"live.com#terdeje50@gmail.com\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"M5IA0ObVXevkSJYhxjGSnmjUPnxo1Wrp3KXPKnVr6gY\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"DeJesus\",\"iat\":\"1650901884\",\"ipaddr\":\"173.88.215.85\",\"iss\":\"https://sts.windows.net/645b56f5-ed4e-473f-9a11-eaf15182f822/\",\"name\":\"Terrance DeJesus\",\"nbf\":\"1650901884\",\"puid\":\"10032001B147E364\",\"rh\":\"0.AUYA9VZbZE7tP0eaEerxUYL4IkZIf3kAutdPukPawfj2MBOAAOo.\",\"uti\":\"2BIy_siUSUSY-nbHc9rzAA\",\"ver\":\"1.0\",\"wids\":\"62e90394-69f5-4237-9190-012177145e10\",\"xms_tcdt\":\"1637951977\"}},\"level\":\"Information\",\"operationName\":\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\",\"properties\":{\"entity\":\"/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae/resourceGroups/Elastic/providers/Microsoft.Storage/storageAccounts/elasticsiemdev\",\"eventCategory\":\"Administrative\",\"hierarchy\":\"1e38443a-424b-4211-9a1b-cb3cb31837ae\",\"message\":\"Microsoft.Storage/storageAccounts/regenerateKey/action\",\"serviceRequestId\":null,\"statusCode\":\"OK\"},\"resourceId\":\"/SUBSCRIPTIONS/1E38443A-424B-4211-9A1B-CB3CB31837AE/RESOURCEGROUPS/ELASTIC/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/ELASTICSIEMDEV\",\"resultSignature\":\"Succeeded.OK\",\"resultType\":\"Success\",\"tenantId\":\"645b56f5-ed4e-473f-9a11-eaf15182f822\",\"time\":\"2022-04-25T16:51:29.8351941Z\"}", "kibana.alert.original_event.kind": "event", "kibana.alert.original_event.action": "MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION", "kibana.alert.original_event.dataset": "azure.activitylogs", "kibana.alert.original_event.outcome": "success", "kibana.alert.original_event.module": "azure", "kibana.alert.uuid": "b4a8fe5cfa0668827f67dacaa7db360a9e559082823a4483c95a70dd3397dbef" }, "fields": { "kibana.alert.rule.updated_by": [ "4220331459" ], "kibana.alert.rule.references": [ "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal" ], "elastic_agent.version": [ "8.1.2" ], "kibana.alert.original_event.original": [ "{\"ReleaseVersion\":\"6.2022.14.12+8b4f786ea76cf7782d17f26181c74ea04f475986.release_2022w14\",\"RoleLocation\":\"North Central US\",\"callerIpAddress\":\"173.88.215.85\",\"category\":\"Administrative\",\"correlationId\":\"4d822e82-853f-4070-bf09-84f3b07299f0\",\"durationMs\":\"470\",\"identity\":{\"authorization\":{\"action\":\"Microsoft.Storage/storageAccounts/regenerateKey/action\",\"evidence\":{\"principalId\":\"c56025eb5264485fa6cfab18ce9fb82c\",\"principalType\":\"User\",\"role\":\"Owner\",\"roleAssignmentId\":\"65ead8cf4d62441d957bbb4edbab6557\",\"roleAssignmentScope\":\"/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae\",\"roleDefinitionId\":\"8e3af657a8ff443ca75c2fe8c4bcb635\"},\"scope\":\"/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae/resourceGroups/Elastic/providers/Microsoft.Storage/storageAccounts/elasticsiemdev\"},\"claims\":{\"aio\":\"AWQAm/8TAAAAvdXbJ2naFX3HJJWHxv95JOmpvc+X8Xd+b4NfUyolJoT2HL8nDg1NRi03mZmKc8QGRdhdrKl2e+DJrF14P1QTIbkLHjfz71zNZSD4UCQCw6Z1HKg4E/oLgme+KkEIBoZ6\",\"altsecid\":\"1:live.com:0003BFFDD2998177\",\"appid\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"appidacr\":\"2\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1650907034\",\"groups\":\"2e66d2e9-d908-48b2-b321-a0af00c7853f\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd,mfa\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"live.com\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"c56025eb-5264-485f-a6cf-ab18ce9fb82c\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"645b56f5-ed4e-473f-9a11-eaf15182f822\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"terdeje50@gmail.com\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"Terrance\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\"live.com#terdeje50@gmail.com\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"M5IA0ObVXevkSJYhxjGSnmjUPnxo1Wrp3KXPKnVr6gY\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"DeJesus\",\"iat\":\"1650901884\",\"ipaddr\":\"173.88.215.85\",\"iss\":\"https://sts.windows.net/645b56f5-ed4e-473f-9a11-eaf15182f822/\",\"name\":\"Terrance DeJesus\",\"nbf\":\"1650901884\",\"puid\":\"10032001B147E364\",\"rh\":\"0.AUYA9VZbZE7tP0eaEerxUYL4IkZIf3kAutdPukPawfj2MBOAAOo.\",\"uti\":\"2BIy_siUSUSY-nbHc9rzAA\",\"ver\":\"1.0\",\"wids\":\"62e90394-69f5-4237-9190-012177145e10\",\"xms_tcdt\":\"1637951977\"}},\"level\":\"Information\",\"operationName\":\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\",\"properties\":{\"entity\":\"/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae/resourceGroups/Elastic/providers/Microsoft.Storage/storageAccounts/elasticsiemdev\",\"eventCategory\":\"Administrative\",\"hierarchy\":\"1e38443a-424b-4211-9a1b-cb3cb31837ae\",\"message\":\"Microsoft.Storage/storageAccounts/regenerateKey/action\",\"serviceRequestId\":null,\"statusCode\":\"OK\"},\"resourceId\":\"/SUBSCRIPTIONS/1E38443A-424B-4211-9A1B-CB3CB31837AE/RESOURCEGROUPS/ELASTIC/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/ELASTICSIEMDEV\",\"resultSignature\":\"Succeeded.OK\",\"resultType\":\"Success\",\"tenantId\":\"645b56f5-ed4e-473f-9a11-eaf15182f822\",\"time\":\"2022-04-25T16:51:29.8351941Z\"}" ], "kibana.alert.rule.threat.technique.id": [ "T1528" ], "azure.activitylogs.ReleaseVersion": [ "6.2022.14.12+8b4f786ea76cf7782d17f26181c74ea04f475986.release_2022w14" ], "signal.rule.enabled": [ "true" ], "signal.rule.max_signals": [ 100 ], "azure.activitylogs.identity.claims.http://schemas_xmlsoap_org/ws/2005/05/identity/claims/nameidentifier": [ "M5IA0ObVXevkSJYhxjGSnmjUPnxo1Wrp3KXPKnVr6gY" ], "source.geo.region_name": [ "Ohio" ], "kibana.alert.risk_score": [ 21 ], "signal.rule.updated_at": [ "2022-04-21T16:09:51.024Z" ], "source.geo.city_name": [ "North Canton" ], "azure.activitylogs.identity.claims.wids": [ "62e90394-69f5-4237-9190-012177145e10" ], "azure.activitylogs.identity.claims.ver": [ "1.0" ], "kibana.alert.original_event.module": [ "azure" ], "signal.rule.references": [ "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal" ], "kibana.alert.rule.interval": [ "5m" ], "kibana.alert.rule.type": [ "query" ], "tags": [ "preserve_original_event", "azure-activitylogs", "forwarded" ], "kibana.alert.rule.immutable": [ "true" ], "kibana.alert.rule.version": [ "5" ], "source.as.number": [ 10796 ], "azure.activitylogs.identity.claims.uti": [ "2BIy_siUSUSY-nbHc9rzAA" ], "azure.activitylogs.identity.claims.aio": [ "AWQAm/8TAAAAvdXbJ2naFX3HJJWHxv95JOmpvc+X8Xd+b4NfUyolJoT2HL8nDg1NRi03mZmKc8QGRdhdrKl2e+DJrF14P1QTIbkLHjfz71zNZSD4UCQCw6Z1HKg4E/oLgme+KkEIBoZ6" ], "azure.activitylogs.identity.claims.http://schemas_microsoft_com/claims/authnclassreference": [ "1" ], "signal.original_event.outcome": [ "success" ], "azure.activitylogs.identity.claims.rh": [ "0.AUYA9VZbZE7tP0eaEerxUYL4IkZIf3kAutdPukPawfj2MBOAAOo." ], "azure.resource.group": [ "ELASTIC" ], "agent.type": [ "filebeat" ], "related.ip": [ "173.88.215.85" ], "azure.activitylogs.result_signature": [ "Succeeded.OK" ], "signal.rule.threat.framework": [ "MITRE ATT&CK" ], "azure-eventhub.eventhub": [ "elastic" ], "azure.activitylogs.identity.authorization.scope": [ "/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae/resourceGroups/Elastic/providers/Microsoft.Storage/storageAccounts/elasticsiemdev" ], "elastic_agent.id": [ "48b9000b-ae10-4051-80eb-04462c388ac7" ], "azure.correlation_id": [ "4d822e82-853f-4070-bf09-84f3b07299f0" ], "kibana.alert.rule.false_positives": [ "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated." ], "signal.rule.updated_by": [ "4220331459" ], "cloud.account.id": [ "elastic-security-dev" ], "kibana.alert.rule.severity": [ "low" ], "signal.rule.threat.technique.reference": [ "https://attack.mitre.org/techniques/T1528/" ], "signal.original_event.duration": [ "470" ], "kibana.version": [ "8.1.2" ], "azure.activitylogs.identity.claims.http://schemas_xmlsoap_org/ws/2005/05/identity/claims/surname": [ "DeJesus" ], "signal.ancestors.type": [ "event" ], "cloud.instance.name": [ "ubuntu-dejesus" ], "kibana.alert.ancestors.id": [ "KeunYYABKGBqBq6CSTHJ" ], "kibana.alert.rule.description": [ "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources." ], "azure.subscription_id": [ "1E38443A-424B-4211-9A1B-CB3CB31837AE" ], "kibana.alert.rule.producer": [ "siem" ], "geo.country_iso_code": [ "US" ], "kibana.alert.rule.to": [ "now" ], "kibana.alert.original_event.ingested": [ "2022-04-25T16:56:35.000Z" ], "signal.rule.id": [ "47b5cb8c-c017-11ec-bad2-73c81bfd40d7" ], "signal.rule.risk_score": [ 21 ], "signal.reason": [ "event by terdeje50 created low alert Azure Storage Account Key Regenerated." ], "azure.activitylogs.event_category": [ "Administrative" ], "log.level": [ "Information" ], "signal.status": [ "open" ], "signal.rule.tags": [ "Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access" ], "event.original": [ "{\"ReleaseVersion\":\"6.2022.14.12+8b4f786ea76cf7782d17f26181c74ea04f475986.release_2022w14\",\"RoleLocation\":\"North Central US\",\"callerIpAddress\":\"173.88.215.85\",\"category\":\"Administrative\",\"correlationId\":\"4d822e82-853f-4070-bf09-84f3b07299f0\",\"durationMs\":\"470\",\"identity\":{\"authorization\":{\"action\":\"Microsoft.Storage/storageAccounts/regenerateKey/action\",\"evidence\":{\"principalId\":\"c56025eb5264485fa6cfab18ce9fb82c\",\"principalType\":\"User\",\"role\":\"Owner\",\"roleAssignmentId\":\"65ead8cf4d62441d957bbb4edbab6557\",\"roleAssignmentScope\":\"/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae\",\"roleDefinitionId\":\"8e3af657a8ff443ca75c2fe8c4bcb635\"},\"scope\":\"/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae/resourceGroups/Elastic/providers/Microsoft.Storage/storageAccounts/elasticsiemdev\"},\"claims\":{\"aio\":\"AWQAm/8TAAAAvdXbJ2naFX3HJJWHxv95JOmpvc+X8Xd+b4NfUyolJoT2HL8nDg1NRi03mZmKc8QGRdhdrKl2e+DJrF14P1QTIbkLHjfz71zNZSD4UCQCw6Z1HKg4E/oLgme+KkEIBoZ6\",\"altsecid\":\"1:live.com:0003BFFDD2998177\",\"appid\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"appidacr\":\"2\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1650907034\",\"groups\":\"2e66d2e9-d908-48b2-b321-a0af00c7853f\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd,mfa\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"live.com\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"c56025eb-5264-485f-a6cf-ab18ce9fb82c\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"645b56f5-ed4e-473f-9a11-eaf15182f822\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\":\"terdeje50@gmail.com\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"Terrance\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\"live.com#terdeje50@gmail.com\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"M5IA0ObVXevkSJYhxjGSnmjUPnxo1Wrp3KXPKnVr6gY\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"DeJesus\",\"iat\":\"1650901884\",\"ipaddr\":\"173.88.215.85\",\"iss\":\"https://sts.windows.net/645b56f5-ed4e-473f-9a11-eaf15182f822/\",\"name\":\"Terrance DeJesus\",\"nbf\":\"1650901884\",\"puid\":\"10032001B147E364\",\"rh\":\"0.AUYA9VZbZE7tP0eaEerxUYL4IkZIf3kAutdPukPawfj2MBOAAOo.\",\"uti\":\"2BIy_siUSUSY-nbHc9rzAA\",\"ver\":\"1.0\",\"wids\":\"62e90394-69f5-4237-9190-012177145e10\",\"xms_tcdt\":\"1637951977\"}},\"level\":\"Information\",\"operationName\":\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\",\"properties\":{\"entity\":\"/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae/resourceGroups/Elastic/providers/Microsoft.Storage/storageAccounts/elasticsiemdev\",\"eventCategory\":\"Administrative\",\"hierarchy\":\"1e38443a-424b-4211-9a1b-cb3cb31837ae\",\"message\":\"Microsoft.Storage/storageAccounts/regenerateKey/action\",\"serviceRequestId\":null,\"statusCode\":\"OK\"},\"resourceId\":\"/SUBSCRIPTIONS/1E38443A-424B-4211-9A1B-CB3CB31837AE/RESOURCEGROUPS/ELASTIC/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/ELASTICSIEMDEV\",\"resultSignature\":\"Succeeded.OK\",\"resultType\":\"Success\",\"tenantId\":\"645b56f5-ed4e-473f-9a11-eaf15182f822\",\"time\":\"2022-04-25T16:51:29.8351941Z\"}" ], "kibana.alert.rule.uuid": [ "47b5cb8c-c017-11ec-bad2-73c81bfd40d7" ], "kibana.alert.rule.threat.tactic.name": [ "Credential Access" ], "azure.activitylogs.properties.hierarchy": [ "1e38443a-424b-4211-9a1b-cb3cb31837ae" ], "azure.activitylogs.identity.claims.http://schemas_microsoft_com/claims/authnmethodsreferences": [ "pwd,mfa" ], "azure.activitylogs.identity.claims.ipaddr": [ "173.88.215.85" ], "client.ip": [ "173.88.215.85" ], "azure.activitylogs.identity.authorization.evidence.principal_id": [ "c56025eb5264485fa6cfab18ce9fb82c" ], "azure.activitylogs.identity.claims.altsecid": [ "1:live.com:0003BFFDD2998177" ], "azure.activitylogs.identity.claims_initiated_by_user.surname": [ "DeJesus" ], "geo.city_name": [ "North Canton" ], "kibana.alert.ancestors.index": [ ".ds-logs-azure.activitylogs-default-2022.04.25-000001" ], "azure.activitylogs.identity.claims.nbf": [ "1650901884" ], "user.full_name": [ "Terrance DeJesus" ], "agent.version": [ "8.1.2" ], "kibana.alert.rule.from": [ "now-25m" ], "kibana.alert.rule.parameters": [ { "severity": "low", "max_signals": 100, "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity_mapping": [], "references": [ "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal" ], "risk_score": 21, "risk_score_mapping": [], "author": [ "Elastic" ], "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)\n", "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.", "index": [ "filebeat-*", "logs-azure*" ], "language": "kuery", "type": "query", "version": 5, "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908", "license": "Elastic License v2", "immutable": true, "exceptions_list": [], "timestamp_override": "event.ingested", "from": "now-25m", "false_positives": [ "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated." ], "threat": [ { "technique": [ { "reference": "https://attack.mitre.org/techniques/T1528/", "name": "Steal Application Access Token", "id": "T1528" } ], "framework": "MITRE ATT&CK", "tactic": { "reference": "https://attack.mitre.org/tactics/TA0006/", "name": "Credential Access", "id": "TA0006" } } ], "to": "now" } ], "kibana.alert.rule.threat.tactic.id": [ "TA0006" ], "signal.original_event.kind": [ "event" ], "kibana.alert.rule.threat.technique.name": [ "Steal Application Access Token" ], "signal.depth": [ 1 ], "signal.rule.immutable": [ "true" ], "geo.region_iso_code": [ "US-OH" ], "signal.rule.name": [ "Azure Storage Account Key Regenerated" ], "azure.activitylogs.operation_name": [ "MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" ], "event.module": [ "azure" ], "kibana.alert.rule.license": [ "Elastic License v2" ], "kibana.alert.original_event.kind": [ "event" ], "azure-eventhub.consumer_group": [ "$Default" ], "azure.activitylogs.identity.claims_initiated_by_user.schema": [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims" ], "signal.rule.description": [ "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources." ], "azure.activitylogs.identity.claims.http://schemas_xmlsoap_org/ws/2005/05/identity/claims/emailaddress": [ "terdeje50@gmail.com" ], "azure.activitylogs.identity.authorization.evidence.principal_type": [ "User" ], "source.geo.continent_name": [ "North America" ], "source.as.organization.name": [ "TWC-10796-MIDWEST" ], "geo.region_name": [ "Ohio" ], "geo.continent_name": [ "North America" ], "kibana.alert.original_event.outcome": [ "success" ], "kibana.space_ids": [ "default" ], "kibana.alert.severity": [ "low" ], "azure.resource.id": [ "/SUBSCRIPTIONS/1E38443A-424B-4211-9A1B-CB3CB31837AE/RESOURCEGROUPS/ELASTIC/PROVIDERS/MICROSOFT.STORAGE/STORAGEACCOUNTS/ELASTICSIEMDEV" ], "signal.ancestors.depth": [ 0 ], "kibana.alert.rule.tags": [ "Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access" ], "geo.location.lat": [ 40.7961 ], "kibana.alert.ancestors.depth": [ 0 ], "azure.activitylogs.tenant_id": [ "645b56f5-ed4e-473f-9a11-eaf15182f822" ], "source.ip": [ "173.88.215.85" ], "agent.name": [ "ubuntu-dejesus" ], "event.agent_id_status": [ "verified" ], "azure.activitylogs.identity.claims.iss": [ "https://sts.windows.net/645b56f5-ed4e-473f-9a11-eaf15182f822/" ], "event.outcome": [ "success" ], "azure.activitylogs.identity.claims.http://schemas_microsoft_com/identity/claims/identityprovider": [ "live.com" ], "azure.activitylogs.identity.claims.puid": [ "10032001B147E364" ], "input.type": [ "azure-eventhub" ], "azure.activitylogs.identity.authorization.action": [ "Microsoft.Storage/storageAccounts/regenerateKey/action" ], "related.user": [ "terdeje50" ], "cloud.provider": [ "azure" ], "cloud.machine.type": [ "e2-medium" ], "agent.id": [ "48b9000b-ae10-4051-80eb-04462c388ac7" ], "signal.original_event.module": [ "azure" ], "azure.activitylogs.identity.claims.aud": [ "https://management.core.windows.net/" ], "signal.rule.from": [ "now-25m" ], "azure.activitylogs.identity.claims_initiated_by_user.fullname": [ "Terrance DeJesus" ], "kibana.alert.rule.enabled": [ "true" ], "kibana.alert.ancestors.type": [ "event" ], "azure.activitylogs.identity.claims.groups": [ "2e66d2e9-d908-48b2-b321-a0af00c7853f" ], "azure.activitylogs.identity.claims.http://schemas_xmlsoap_org/ws/2005/05/identity/claims/name": [ "live.com#terdeje50@gmail.com" ], "user.name": [ "terdeje50" ], "signal.ancestors.index": [ ".ds-logs-azure.activitylogs-default-2022.04.25-000001" ], "kibana.alert.original_event.duration": [ "470" ], "cloud.instance.id": [ "8722555630420520528" ], "azure.activitylogs.properties.entity": [ "/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae/resourceGroups/Elastic/providers/Microsoft.Storage/storageAccounts/elasticsiemdev" ], "geo.country_name": [ "United States" ], "user.email": [ "live.com#terdeje50@gmail.com" ], "elastic_agent.snapshot": [ false ], "user.domain": [ "gmail.com" ], "kibana.alert.rule.note": [ "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." ], "azure.activitylogs.identity.claims.http://schemas_microsoft_com/identity/claims/tenantid": [ "645b56f5-ed4e-473f-9a11-eaf15182f822" ], "geo.location.lon": [ -81.3798 ], "kibana.alert.rule.max_signals": [ 100 ], "azure-eventhub.offset": [ 199288 ], "signal.rule.author": [ "Elastic" ], "kibana.alert.rule.risk_score": [ 21 ], "azure.activitylogs.identity.claims.iat": [ "1650901884" ], "azure-eventhub.enqueued_time": [ "2022-04-25T16:56:33.823Z" ], "signal.rule.threat.technique.id": [ "T1528" ], "signal.original_event.dataset": [ "azure.activitylogs" ], "kibana.alert.rule.consumer": [ "siem" ], "azure.activitylogs.identity.claims.http://schemas_microsoft_com/identity/claims/objectidentifier": [ "c56025eb-5264-485f-a6cf-ab18ce9fb82c" ], "azure.activitylogs.identity.claims_initiated_by_user.givenname": [ "Terrance" ], "event.duration": [ 470 ], "kibana.alert.rule.category": [ "Custom Query Rule" ], "event.ingested": [ "2022-04-25T16:56:35.000Z" ], "event.action": [ "MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" ], "@timestamp": [ "2022-04-25T17:01:10.268Z" ], "kibana.alert.original_event.action": [ "MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" ], "kibana.alert.original_event.agent_id_status": [ "verified" ], "data_stream.dataset": [ "azure.activitylogs" ], "signal.rule.timestamp_override": [ "event.ingested" ], "agent.ephemeral_id": [ "110f6857-6e93-48ff-93fd-2b8cd37649b8" ], "kibana.alert.uuid": [ "b4a8fe5cfa0668827f67dacaa7db360a9e559082823a4483c95a70dd3397dbef" ], "signal.rule.note": [ "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." ], "kibana.alert.rule.execution.uuid": [ "2adb5ec4-74f1-4e7d-a572-8cfa4210a10b" ], "signal.rule.threat.technique.name": [ "Steal Application Access Token" ], "azure.activitylogs.identity.claims.appidacr": [ "2" ], "signal.rule.license": [ "Elastic License v2" ], "cloud.project.id": [ "elastic-security-dev" ], "kibana.alert.rule.rule_id": [ "1e0b832e-957e-43ae-b319-db82d228c908" ], "signal.rule.type": [ "query" ], "azure.resource.provider": [ "MICROSOFT.STORAGE/STORAGEACCOUNTS" ], "azure.resource.name": [ "ELASTICSIEMDEV" ], "azure.activitylogs.RoleLocation": [ "North Central US" ], "signal.rule.created_by": [ "4220331459" ], "cloud.availability_zone": [ "us-east1-b" ], "signal.rule.interval": [ "5m" ], "kibana.alert.rule.created_by": [ "4220331459" ], "kibana.alert.rule.timestamp_override": [ "event.ingested" ], "azure.activitylogs.identity.claims.appid": [ "c44b4083-3bb0-49c1-b47d-974e53cbdf3c" ], "kibana.alert.rule.name": [ "Azure Storage Account Key Regenerated" ], "kibana.alert.rule.threat.technique.reference": [ "https://attack.mitre.org/techniques/T1528/" ], "source.geo.region_iso_code": [ "US-OH" ], "event.kind": [ "signal" ], "azure.activitylogs.properties.status_code": [ "OK" ], "signal.rule.created_at": [ "2022-04-19T19:31:17.147Z" ], "kibana.alert.workflow_status": [ "open" ], "azure.activitylogs.identity.claims.xms_tcdt": [ "1637951977" ], "azure.activitylogs.identity.claims.exp": [ "1650907034" ], "kibana.alert.reason": [ "event by terdeje50 created low alert Azure Storage Account Key Regenerated." ], "signal.rule.threat.tactic.id": [ "TA0006" ], "data_stream.type": [ "logs" ], "signal.original_time": [ "2022-04-25T16:51:29.835Z" ], "signal.ancestors.id": [ "KeunYYABKGBqBq6CSTHJ" ], "cloud.service.name": [ "GCE" ], "signal.rule.severity": [ "low" ], "ecs.version": [ "8.0.0" ], "azure.activitylogs.category": [ "Administrative" ], "azure.activitylogs.identity.authorization.evidence.role_definition_id": [ "8e3af657a8ff443ca75c2fe8c4bcb635" ], "kibana.alert.depth": [ 1 ], "signal.rule.version": [ "5" ], "kibana.alert.status": [ "active" ], "signal.rule.false_positives": [ "It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated." ], "source.geo.location": [ { "coordinates": [ -81.3798, 40.7961 ], "type": "Point" } ], "kibana.alert.original_event.dataset": [ "azure.activitylogs" ], "azure.activitylogs.identity.claims_initiated_by_user.name": [ "live.com#terdeje50@gmail.com" ], "kibana.alert.rule.rule_type_id": [ "siem.queryRule" ], "signal.rule.rule_id": [ "1e0b832e-957e-43ae-b319-db82d228c908" ], "azure.activitylogs.identity.claims.http://schemas_microsoft_com/identity/claims/scope": [ "user_impersonation" ], "signal.rule.threat.tactic.reference": [ "https://attack.mitre.org/tactics/TA0006/" ], "source.geo.country_iso_code": [ "US" ], "azure.activitylogs.identity.authorization.evidence.role_assignment_id": [ "65ead8cf4d62441d957bbb4edbab6557" ], "azure.activitylogs.result_type": [ "Success" ], "azure.activitylogs.identity.authorization.evidence.role": [ "Owner" ], "signal.rule.threat.tactic.name": [ "Credential Access" ], "kibana.alert.rule.threat.framework": [ "MITRE ATT&CK" ], "kibana.alert.rule.updated_at": [ "2022-04-21T16:09:51.024Z" ], "data_stream.namespace": [ "default" ], "kibana.alert.rule.author": [ "Elastic" ], "azure.activitylogs.properties.message": [ "Microsoft.Storage/storageAccounts/regenerateKey/action" ], "kibana.alert.rule.threat.tactic.reference": [ "https://attack.mitre.org/tactics/TA0006/" ], "azure.activitylogs.identity.claims.http://schemas_xmlsoap_org/ws/2005/05/identity/claims/givenname": [ "Terrance" ], "signal.original_event.action": [ "MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" ], "azure-eventhub.sequence_number": [ 25 ], "signal.rule.to": [ "now" ], "kibana.alert.rule.created_at": [ "2022-04-19T19:31:17.147Z" ], "azure.activitylogs.identity.authorization.evidence.role_assignment_scope": [ "/subscriptions/1e38443a-424b-4211-9a1b-cb3cb31837ae" ], "source.geo.country_name": [ "United States" ], "event.dataset": [ "azure.activitylogs" ], "kibana.alert.original_time": [ "2022-04-25T16:51:29.835Z" ] } }

[terrancedejesus]

8.3 Azure Conclusion

In 8.3 we mainly reviewed did the following:

• Setup and documented an Azure Lab to use for management, adversary simulation and more. Details are in a private Elastic document for now.
• Reviewed existing rules' queries and field names filtered on to make sure these fields did not change on Microsoft Azure's side where we would need to accommodate accordingly. Of these no changes were needed to existing rules or added to non-ecs schema.
• From testing, we identified several new rules that will be scoped for 8.4 release.
  • Azure DevOps Audit Stream Disabled
  • Azure AD Role Management Permission Grant
  • Azure DevOps Personal Access Token (PAT) misuse
  • Azure DevOps Agent Pool Created Then Deleted
  • Azure Portal Signin from another Azure Tenant
  • Azure Active Directory Hybrid Health AD FS New Server
  • Azure DevOps Variable Secret Not Secured
• Kubernetes is still currently being investigated using local testing.