Excessive Secret or Key Retrieval from Azure Key Vault
edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
Excessive Secret or Key Retrieval from Azure Key Vault
editIdentifies excessive secret or key retrieval operations from Azure Key Vault. This rule detects when a user principal retrieves secrets or keys from Azure Key Vault multiple times within a short time frame, which may indicate potential abuse or unauthorized access attempts. The rule focuses on high-frequency retrieval operations that deviate from normal user behavior, suggesting possible credential harvesting or misuse of sensitive information.
Rule type: esql
Rule indices: None
Severity: medium
Risk score: 43
Runs every: 8m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Domain: Storage
- Domain: Identity
- Data Source: Azure
- Data Source: Azure Platform Logs
- Data Source: Azure Key Vault
- Use Case: Threat Detection
- Use Case: Identity and Access Audit
- Tactic: Credential Access
- Resources: Investigation Guide
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating Excessive Secret or Key Retrieval from Azure Key Vault
Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts.
Possible investigation steps
-
Review the
azure.platformlogs.identity.claim.upnfield to identify the user principal making the retrieval requests. This can help determine if the activity is legitimate or suspicious. -
Check the
azure.platformlogs.identity.claim.appidorazure.platformlogs.identity.claim.appid_display_nameto identify the application or service making the requests. If the application is not recognized or authorized, it may indicate a potential security incident. It is plausible that the application is a FOCI compliant application, which are commonly abused by adversaries to evade security controls or conditional access policies. -
Analyze the
azure.platformlogs.resource.namefield to determine which Key Vault is being accessed. This can help assess the impact of the retrieval operations and whether they target sensitive resources. -
Review the
event.actionfield to confirm the specific actions being performed, such asKeyGet,SecretGet, orCertificateGet. These actions indicate retrieval of keys, secrets, or certificates from the Key Vault. -
Check the
source.iporgeo.*fields to identify the source of the retrieval requests. Look for unusual or unexpected IP addresses, especially those associated with known malicious activity or geographic locations that do not align with the user’s typical behavior. -
Use the
time_windowfield to analyze the frequency of retrieval operations. If multiple retrievals occur within a short time frame (e.g., within a few minutes), it may indicate excessive or suspicious activity. - Correlate the retrieval operations with other security events or alerts in the environment to identify any patterns or related incidents.
- Triage the user with Entra ID sign-in logs to gather more context about their authentication behavior and any potential anomalies.
False positive analysis
- Routine administrative tasks or automated scripts may trigger excessive retrievals, especially in environments where Key Vaults are heavily utilized for application configurations or secrets management. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
- Legitimate applications or services may perform frequent retrievals of keys or secrets for operational purposes, such as configuration updates or secret rotation. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
- Security teams may perform periodic audits or assessments that involve retrieving keys or secrets from Key Vaults. If this is expected behavior, consider adjusting the rule or adding exceptions for specific user principals or applications.
- Some applications may require frequent access to keys or secrets for normal operation, leading to high retrieval counts. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
Response and remediation
- Investigate the user principal making the excessive retrieval requests to determine if they are authorized to access the Key Vault and its contents. If the user is not authorized, take appropriate actions to block their access and prevent further unauthorized retrievals.
- Review the application or service making the requests to ensure it is legitimate and authorized to access the Key Vault. If the application is unauthorized or suspicious, consider blocking it and revoking its permissions to access the Key Vault.
- Assess the impact of the excessive retrieval operations on the Key Vault and its contents. Determine if any sensitive data was accessed or compromised during the retrievals.
- Implement additional monitoring and alerting for the Key Vault to detect any further suspicious activity or unauthorized access attempts.
- Consider implementing stricter access controls or policies for Key Vaults to limit excessive retrievals and ensure that only authorized users and applications can access sensitive keys and secrets.
- Educate users and administrators about the risks associated with excessive retrievals from Key Vaults and encourage them to follow best practices for managing keys and secrets in Azure environments.
Setup
editRequired Azure Key Vault Diagnostic Logs
To ensure this rule functions correctly, the following diagnostic logs must be enabled for Azure Key Vault: - AuditEvent: This log captures all read and write operations performed on the Key Vault, including secret, key, and certificate retrievals. These logs should be streamed to the Event Hub used for the Azure integration configuration.
Rule query
editfrom logs-azure.platformlogs-* metadata _id, _index
// Filter for Azure Key Vault read operations
| where event.dataset == "azure.platformlogs"
and event.action in (
"VaultGet",
"KeyGet",
"KeyList",
"KeyListVersions",
"KeyGetDeleted",
"KeyListDeleted",
"SecretGet",
"SecretList",
"SecretListVersions",
"SecretGetDeleted",
"SecretListDeleted",
"CertificateGet",
"CertificateList",
"CertificateListVersions",
"CertificateGetDeleted",
"CertificateListDeleted",
"CertificatePolicyGet",
"CertificateContactsGet",
"CertificateIssuerGet",
"CertificateIssuersList"
)
// Truncate timestamps into 1-minute windows
| eval Esql.time_window_date_trunc = date_trunc(1 minute, @timestamp)
// Aggregate identity, geo, resource, and activity info
| stats
Esql_priv.azure_platformlogs_identity_claim_upn_values = values(azure.platformlogs.identity.claim.upn),
Esql.azure_platformlogs_identity_claim_upn_count_distinct = count_distinct(azure.platformlogs.identity.claim.upn),
Esql.azure_platformlogs_identity_claim_appid_values = values(azure.platformlogs.identity.claim.appid),
Esql.azure_platformlogs_identity_claim_objectid_values = values(azure.platformlogs.identity.claim.objectid),
Esql.source_ip_values = values(source.ip),
Esql.geo_city_values = values(geo.city_name),
Esql.geo_region_values = values(geo.region_name),
Esql.geo_country_values = values(geo.country_name),
Esql.source_as_organization_name_values = values(source.as.organization.name),
Esql.event_action_values = values(event.action),
Esql.event_count = count(*),
Esql.event_action_count_distinct = count_distinct(event.action),
Esql.azure_resource_name_count_distinct = count_distinct(azure.resource.name),
Esql.azure_resource_name_values = values(azure.resource.name),
Esql.azure_platformlogs_result_type_values = values(azure.platformlogs.result_type),
Esql.cloud_region_values = values(cloud.region),
Esql.agent_name_values = values(agent.name),
Esql.azure_subscription_id_values = values(azure.subscription_id),
Esql.azure_resource_group_values = values(azure.resource.group),
Esql.azure_resource_id_values = values(azure.resource.id)
by Esql.time_window_date_trunc, azure.platformlogs.identity.claim.upn
// keep relevant fields
| keep
Esql.time_window_date_trunc,
Esql_priv.azure_platformlogs_identity_claim_upn_values,
Esql.azure_platformlogs_identity_claim_upn_count_distinct,
Esql.azure_platformlogs_identity_claim_appid_values,
Esql.azure_platformlogs_identity_claim_objectid_values,
Esql.source_ip_values,
Esql.geo_city_values,
Esql.geo_region_values,
Esql.geo_country_values,
Esql.source_as_organization_name_values,
Esql.event_action_values,
Esql.event_count,
Esql.event_action_count_distinct,
Esql.azure_resource_name_count_distinct,
Esql.azure_resource_name_values,
Esql.azure_platformlogs_result_type_values,
Esql.cloud_region_values,
Esql.agent_name_values,
Esql.azure_subscription_id_values,
Esql.azure_resource_group_values,
Esql.azure_resource_id_values
// Filter for suspiciously high volume of distinct Key Vault reads by a single actor
| where Esql.azure_platformlogs_identity_claim_upn_count_distinct == 1 and Esql.event_count >= 10 and Esql.event_action_count_distinct >= 2
| sort Esql.time_window_date_trunc desc
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Credentials from Password Stores
- ID: T1555
- Reference URL: https://attack.mitre.org/techniques/T1555/
-
Sub-technique:
- Name: Cloud Secrets Management Stores
- ID: T1555.006
- Reference URL: https://attack.mitre.org/techniques/T1555/006/