Azure Storage Account Key Regenerated
editAzure Storage Account Key Regenerated
editIdentifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.
Rule type: query
Rule indices:
- filebeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-25m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Cloud
- Azure
- Continuous Monitoring
- SecOps
- Identity and Access
Version: 1
Added (Elastic Stack release): 7.10.0
Rule authors: Elastic
Rule license: Elastic License
Potential false positives
editIt’s recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated.
Investigation guide
editThe Azure Filebeat module must be enabled to use this rule.
Rule query
editevent.dataset:azure.activitylogs and azure.activitylogs.operation_name :MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome:Success
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Steal Application Access Token
- ID: T1528
- Reference URL: https://attack.mitre.org/techniques/T1528/