Rules Contributing to Suspicious Azure Key Vault Activity Alert
The following rules are used to identify suspicious Azure Key Vault activity. Any one or more of these will trigger the Suspicious Azure Key Vault Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Azure Keyvault Key Modified or Deleted |
Identifies when a Keyvault Key is modified or deleted in Azure. More details
Rule IDQuery{'selection': {'operationName': ['MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,80eeab92-0979-4152-942d-96749e11df40 Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresCREDENTIAL_ACCESS, IMPACT, T1555.006 ReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Azure Key Vault Modified or Deleted |
Identifies when a key vault is modified or deleted. More details
Rule IDQuery{'selection': {'operationName': ['MICROSOFT.KEYVAULT/VAULTS/WRITE', 'MICROSOFT.KEYVAULT/VAULTS/DELETE', 'MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,459a2970-bb84-4e6a-a32e-ff0fbd99448d Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresCREDENTIAL_ACCESS, IMPACT, T1555.006 ReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Azure Keyvault Secrets Modified or Deleted |
Identifies when secrets are modified or deleted in Azure. More details
Rule IDQuery{'selection': {'operationName': ['MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION', 'MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,b831353c-1971-477b-abb6-2828edc3bca1 Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresCREDENTIAL_ACCESS, IMPACT, T1555.006 ReferencesSeverity50 Suppression Logic Based On
Additional Information
|