Azure Event Hub Authorization Rule Created or Updated
editAzure Event Hub Authorization Rule Created or Updated
editIdentifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it’s recommended that you treat this rule like an administrative root account and don’t use it in your application.
Rule type: query
Rule indices:
- filebeat-*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-25m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Cloud
- Azure
- Continuous Monitoring
- SecOps
- Log Auditing
Version: 1
Added (Elastic Stack release): 7.10.0
Rule authors: Elastic
Rule license: Elastic License
Potential false positives
editAuthorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
Investigation guide
editThe Azure Filebeat module must be enabled to use this rule.
Rule query
editevent.dataset:azure.activitylogs and azure.activitylogs.operation_name :MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:Success
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
-
Technique:
- Name: Data from Cloud Storage Object
- ID: T1530
- Reference URL: https://attack.mitre.org/techniques/T1530/
-
Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
-
Technique:
- Name: Transfer Data to Cloud Account
- ID: T1537
- Reference URL: https://attack.mitre.org/techniques/T1537/