Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.
Rule type: query
Risk score: 21
Runs every: 5 minutes
Maximum alerts per execution: 100
- Continuous Monitoring
- Identity and Access
Version: 3 (version history)
Added (Elastic Stack release): 7.10.0
Last modified (Elastic Stack release): 7.11.2
Rule authors: Elastic
Rule license: Elastic License
It’s recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated.
The Azure Filebeat module must be enabled to use this rule.
event.dataset:azure.activitylogs and azure.activitylogs.operation_name :MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome:(Success or success)
Framework: MITRE ATT&CKTM
- Version 3 (7.11.2 release)
- Formatting only
- Version 2 (7.11.0 release)
Updated query, changed from:
event.dataset:azure.activitylogs and azure.activitylogs.operation_name :MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome:Success