Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
3 contributors

Users who have contributed to this file

@sagamzu @ashwin-patil @shainw
50 lines (49 sloc) 3.04 KB
id: 24f8c234-d1ff-40ec-8b73-96b17a3a9c1c
name: Mass secret retrieval from Azure Key Vault
description: |
'Identifies mass secret retrieval from Azure Key Vault from a single user.
Mass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications.'
severity: Low
requiredDataConnectors:
- connectorId: WAF
dataTypes:
- AzureDiagnostics
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1003
query: |
let starttime =1d;
let endtime = 1h;
let AlertTriggerThreshold = 25;
let OperationList = dynamic(
["SecretGet", "KeyGet", "VaultGet"]);
AzureDiagnostics
| where TimeGenerated between (ago(starttime)..ago(endtime))
| extend ResultType = columnifexists("ResultType", "None"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists("identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g", "None")
| where ResultType != "None" and isnotempty(ResultType)
| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g != "None" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)
| where ResourceType == "VAULTS" and ResultType == "Success"
| where OperationName in (OperationList)
| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName
| where count_ > AlertTriggerThreshold
| join (
AzureDiagnostics
| where TimeGenerated between (ago(starttime)..ago(endtime))
| extend ResultType = columnifexists("ResultType", "NoResultType")
| extend requestUri_s = columnifexists("requestUri_s", "None"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists("identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g", "None")
| extend id_s = columnifexists("id_s", "None"), CallerIPAddress = columnifexists("CallerIPAddress", "None"), clientInfo_s = columnifexists("clientInfo_s", "None")
| where ResultType != "None" and isnotempty(ResultType)
| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g != "None" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)
| where id_s != "None" and isnotempty(id_s)
| where CallerIPAddress != "None" and isnotempty(CallerIPAddress)
| where clientInfo_s != "None" and isnotempty(clientInfo_s)
| where requestUri_s != "None" and isnotempty(requestUri_s)
| where OperationName in (OperationList)
) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g
| project TimeGenerated, ResourceType, ResultType, Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s
| extend timestamp = TimeGenerated, IPCustomEntity = CallerIPAddress, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g
You can’t perform that action at this time.