Azure Event Hub Authorization Rule Created or Updated | Elastic Security Solution [8.13]

› ›

« AWS IAM Assume Role Policy Update Azure Service Principal Addition »

Azure Event Hub Authorization Rule Created or Updatededit

Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it’s recommended that you treat this rule like an administrative root account and don’t use it in your application.

Rule type: query

Rule indices:

filebeat-*
logs-azure*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature

Tags:

Elastic
Cloud
Azure
Continuous Monitoring
SecOps
Log Auditing

Version: 102

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guideedit

Rule queryedit

event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
Technique:
- Name: Data from Cloud Storage
- ID: T1530
- Reference URL: https://attack.mitre.org/techniques/T1530/
Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
Technique:
- Name: Transfer Data to Cloud Account
- ID: T1537
- Reference URL: https://attack.mitre.org/techniques/T1537/

« AWS IAM Assume Role Policy Update Azure Service Principal Addition »