forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
collection_update_event_hub_auth_rule.toml
71 lines (60 loc) · 2.54 KB
/
collection_update_event_hub_auth_rule.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
[metadata]
creation_date = "2020/08/18"
integration = ["azure"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
[rule]
author = ["Elastic"]
description = """
Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with
specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named
RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's
recommended that you treat this rule like an administrative root account and don't use it in your application.
"""
false_positives = [
"""
Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the
username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions
or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false
positives, it can be exempted from the rule.
""",
]
from = "now-25m"
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure Event Hub Authorization Rule Created or Updated"
note = """## Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"]
risk_score = 47
rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d"
severity = "medium"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1537"
name = "Transfer Data to Cloud Account"
reference = "https://attack.mitre.org/techniques/T1537/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"