forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcredential_access_key_vault_modified.toml
More file actions
65 lines (56 loc) · 2.3 KB
/
credential_access_key_vault_modified.toml
File metadata and controls
65 lines (56 loc) · 2.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
[metadata]
creation_date = "2020/08/31"
integration = ["azure"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
[rule]
author = ["Elastic"]
description = """
Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets
like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to
key vaults should be secured to allow only authorized applications and users.
"""
false_positives = [
"""
Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname,
and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or
hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-25m"
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure Key Vault Modified"
note = """## Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
"https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault",
"https://www.elastic.co/security-labs/detect-credential-access",
]
risk_score = 47
rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec"
severity = "medium"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Data Protection"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
name = "Credentials In Files"
reference = "https://attack.mitre.org/techniques/T1552/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"