/
Anomalous_Listing_Of_Storage_Keys.yaml
47 lines (45 loc) · 2.01 KB
/
Anomalous_Listing_Of_Storage_Keys.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
id: 5d2399f9-ea5c-4e67-9435-1fba745f3a39
name: Azure storage key enumeration
description: |
'Listing of storage keys is an interesting operation in Azure which might expose additional
secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this
type, it would be interesting to see if the account performing this activity or the source IP address from
which it is being done is anomalous.
The query below generates known clusters of ip address per caller, notice that users which only had single
operations do not appear in this list as we cannot learn from it their normal activity (only based on a single
event). The activities for listing storage account keys is correlated with this learned
clusters of expected activities and activity which is not expected is returned.'
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
tactics:
- Discovery
relevantTechniques:
- T1087
query: |
let timeframe = 7d;
AzureActivity
| where TimeGenerated >= ago(timeframe)
| where OperationNameValue == "List Storage Account Keys"
| where ActivityStatusValue == "Succeeded"
| join kind= inner (
AzureActivity
| where TimeGenerated >= ago(timeframe)
| where OperationNameValue == "List Storage Account Keys"
| where ActivityStatusValue == "Succeeded"
| project ExpectedIpAddress=CallerIpAddress, Caller
| evaluate autocluster()
) on Caller
| where CallerIpAddress != ExpectedIpAddress
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = makeset(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress
| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity