[Rule Tuning] Excessive Secret or Key Retrieval from Azure Key Vault (#5220)

Mikaayenson · web-flow · commit 871cfb61b739 · 2025-10-14T12:53:02.000-05:00
diff --git a/rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml b/rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/07/10"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/10/14"
 
 [rule]
 author = ["Elastic"]
@@ -42,7 +42,7 @@ Azure Key Vault is a cloud service that safeguards encryption keys and secrets l
 - Check the `azure.platformlogs.identity.claim.appid` or `azure.platformlogs.identity.claim.appid_display_name` to identify the application or service making the requests. If the application is not recognized or authorized, it may indicate a potential security incident. It is plausible that the application is a FOCI compliant application, which are commonly abused by adversaries to evade security controls or conditional access policies.
 - Analyze the `azure.platformlogs.resource.name` field to determine which Key Vault is being accessed. This can help assess the impact of the retrieval operations and whether they target sensitive resources.
 - Review the `event.action` field to confirm the specific actions being performed, such as `KeyGet`, `SecretGet`, or `CertificateGet`. These actions indicate retrieval of keys, secrets, or certificates from the Key Vault.
-- Check the `source.ip` or `geo.*` fields to identify the source of the retrieval requests. Look for unusual or unexpected IP addresses, especially those associated with known malicious activity or geographic locations that do not align with the user's typical behavior.
+- Check the `source.ip` or `source.geo.*` fields to identify the source of the retrieval requests. Look for unusual or unexpected IP addresses, especially those associated with known malicious activity or geographic locations that do not align with the user's typical behavior.
 - Use the `time_window` field to analyze the frequency of retrieval operations. If multiple retrievals occur within a short time frame (e.g., within a few minutes), it may indicate excessive or suspicious activity.
 - Correlate the retrieval operations with other security events or alerts in the environment to identify any patterns or related incidents.
 - Triage the user with Entra ID sign-in logs to gather more context about their authentication behavior and any potential anomalies.
@@ -123,9 +123,9 @@ from logs-azure.platformlogs-* metadata _id, _index
     Esql.azure_platformlogs_identity_claim_appid_values = values(azure.platformlogs.identity.claim.appid),
 
     Esql.source_ip_values = values(source.ip),
-    Esql.geo_city_values = values(geo.city_name),
-    Esql.geo_region_values = values(geo.region_name),
-    Esql.geo_country_values = values(geo.country_name),
+    Esql.source_geo_city_values = values(source.geo.city_name),
+    Esql.source_geo_region_values = values(source.geo.region_name),
+    Esql.source_geo_country_values = values(source.geo.country_name),
     Esql.source_as_organization_name_values = values(source.as.organization.name),
 
     Esql.event_action_values = values(event.action),
@@ -150,9 +150,9 @@ by Esql.time_window_date_trunc, azure.platformlogs.identity.claim.upn
     Esql.azure_platformlogs_identity_claim_upn_count_distinct,
     Esql.azure_platformlogs_identity_claim_appid_values,
     Esql.source_ip_values,
-    Esql.geo_city_values,
-    Esql.geo_region_values,
-    Esql.geo_country_values,
+    Esql.source_geo_city_values,
+    Esql.source_geo_region_values,
+    Esql.source_geo_country_values,
     Esql.source_as_organization_name_values,
     Esql.event_action_values,
     Esql.event_count,
