IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Azure Diagnostic Settings Deletion Azure Event Hub Deletion »

› › ›

Azure Event Hub Authorization Rule Created or Updated

edit

Azure Event Hub Authorization Rule Created or Updated

edit

Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it’s recommended that you treat this rule like an administrative root account and don’t use it in your application.

Rule type: query

Rule indices:

filebeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature

Tags:

Elastic
Cloud
Azure
Continuous Monitoring
SecOps
Log Auditing

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positives

edit

Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

Investigation guide

edit

The Azure Filebeat module must be enabled to use this rule.

Rule query

edit

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and
event.outcome:Success

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
Technique:
- Name: Data from Cloud Storage Object
- ID: T1530
- Reference URL: https://attack.mitre.org/techniques/T1530/
Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
Technique:
- Name: Transfer Data to Cloud Account
- ID: T1537
- Reference URL: https://attack.mitre.org/techniques/T1537/

« Azure Diagnostic Settings Deletion Azure Event Hub Deletion »