Rules Contributing to Suspicious Azure Key Vault Activity Alert

The following rules are used to identify suspicious Azure Key Vault activity. Any one or more of these will trigger the Suspicious Azure Key Vault Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Azure Keyvault Key Modified or Deleted

Identifies when a Keyvault Key is modified or deleted in Azure.

More details

Rule ID

azure_60

Query

{'selection': {'operationName': ['MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION']}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,80eeab92-0979-4152-942d-96749e11df40

Author: Austin Songer @austinsonger

Tactics, Techniques, and Procedures

TA0006, T1555.006

References

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

Severity

Suppression Logic Based On

azure_activity_log.resourceId
azure_activity_log.operationName
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/08/16	medium	Key being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

Azure Key Vault Modified or Deleted

Identifies when a key vault is modified or deleted.

More details

Rule ID

azure_69

Query

{'selection': {'operationName': ['MICROSOFT.KEYVAULT/VAULTS/WRITE', 'MICROSOFT.KEYVAULT/VAULTS/DELETE', 'MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE']}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,459a2970-bb84-4e6a-a32e-ff0fbd99448d

Author: Austin Songer @austinsonger

Tactics, Techniques, and Procedures

TA0006, T1555.006

References

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

Severity

Suppression Logic Based On

azure_activity_log.resourceId
azure_activity_log.operationName
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/08/16	medium	Key Vault being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

Azure Keyvault Secrets Modified or Deleted

Identifies when secrets are modified or deleted in Azure.

More details

Rule ID

azure_87

Query

{'selection': {'operationName': ['MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION']}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,b831353c-1971-477b-abb6-2828edc3bca1

Author: Austin Songer @austinsonger

Tactics, Techniques, and Procedures

TA0006, T1555.006

References

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

Severity

Suppression Logic Based On

azure_activity_log.resourceId
azure_activity_log.operationName
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/08/16	medium	Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.