Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
61 lines (60 sloc) 3.91 KB
id: 0914adab-90b5-47a3-a79f-7cdcac843aa7
name: Azure Key Vault access TimeSeries anomaly
description: |
'Indentifies a sudden increase in count of Azure Key Vault access by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm
to find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an
indication of adversary dumping credentials via automated methods.'
severity: Low
requiredDataConnectors:
- connectorId: WAF
dataTypes:
- AzureDiagnostics
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1003
query: |
let starttime = 14d;
let timeframe = 1h;
let scorethreshold = 1.5;
let OperationList = dynamic(
["SecretGet", "KeyGet", "VaultGet"]);
let TimeSeriesData = AzureDiagnostics
| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))
| extend ResultType = columnifexists("ResultType", "None"), CallerIPAddress = columnifexists("CallerIPAddress", "None")
| where ResultType != "None" and isnotempty(ResultType)
| where CallerIPAddress != "None" and isnotempty(CallerIPAddress)
| where ResourceType == "VAULTS" and ResultType == "Success"
| where OperationName in (OperationList)
| project TimeGenerated, OperationName, Resource, CallerIPAddress
| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;
//Filter anomolies against TimeSeriesData
let TimeSeriesAlerts = TimeSeriesData
| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')
| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)
| where anomalies > 0 | extend AnomalyHour = TimeGenerated
| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;
// Join against base logs to retrive records associated with the hour of anomoly
TimeSeriesAlerts
| join (
AzureDiagnostics
| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))
| extend ResultType = columnifexists("ResultType", "NoResultType")
| extend requestUri_s = columnifexists("requestUri_s", "None"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists("identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g", "None")
| extend id_s = columnifexists("id_s", "None"), CallerIPAddress = columnifexists("CallerIPAddress", "None"), clientInfo_s = columnifexists("clientInfo_s", "None")
| where ResultType != "None" and isnotempty(ResultType)
| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g != "None" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)
| where id_s != "None" and isnotempty(id_s)
| where CallerIPAddress != "None" and isnotempty(CallerIPAddress)
| where clientInfo_s != "None" and isnotempty(clientInfo_s)
| where requestUri_s != "None" and isnotempty(requestUri_s)
| where ResourceType == "VAULTS" and ResultType == "Success"
| where OperationName in (OperationList)
| summarize PerOperationCount=count() by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s
) on Resource, TimeGenerated
| project AnomalyHour, Resource, CallerIPAddress, HourlyCount, baseline, anomalies, score, OperationName, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s, PerOperationCount
| extend timestamp = AnomalyHour, IPCustomEntity = CallerIPAddress, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g
You can’t perform that action at this time.