Mass secret retrieval from Azure Key Vault
| Id | 24f8c234-d1ff-40ec-8b73-96b17a3a9c1c |
| Rulename | Mass secret retrieval from Azure Key Vault |
| Description | Identifies mass secret retrieval from Azure Key Vault observed by a single user. Mass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. You can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise |
| Severity | Low |
| Tactics | CredentialAccess |
| Techniques | T1003 |
| Required data connectors | AzureKeyVault |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Key Vault/Analytic Rules/KeyvaultMassSecretRetrieval.yaml |
| Version | 1.0.8 |
| Arm template | 24f8c234-d1ff-40ec-8b73-96b17a3a9c1c.json |
let DistinctSecretsThreshold = 10;
let EventCountThreshold = 50;
// To avoid any False Positives, filtering using AppId is recommended.
// The AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.
// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.
let AllowedAppId = dynamic(["509e4652-da8d-478d-a730-e9d4a1996ca4","8cae6e77-e04e-42ce-b5cb-50d82bce26b1"]);
let OperationList = dynamic(["SecretGet", "KeyGet", "VaultGet"]);
AzureDiagnostics
| where OperationName in (OperationList) and ResourceType =~ "VAULTS"
| where not(identity_claim_appid_g in (AllowedAppId) and OperationName == 'VaultGet')
| extend
ResourceId,
ResultType = column_ifexists("ResultType", ""),
identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists("identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g", ""),
identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s = column_ifexists("identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s", ""),
identity_claim_oid_g = column_ifexists("identity_claim_oid_g", ""),
identity_claim_upn_s = column_ifexists("identity_claim_upn_s", "")
| extend
CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),
CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)
| as _Retrievals
| where CallerObjectId in (toscalar(
_Retrievals
| where ResultType == "Success"
| summarize Count = dcount(requestUri_s) by OperationName, CallerObjectId
| where Count > DistinctSecretsThreshold
| summarize make_set(CallerObjectId,10000)
))
| extend
requestUri_s = column_ifexists("requestUri_s", ""),
id_s = column_ifexists("id_s", ""),
CallerIPAddress = column_ifexists("CallerIPAddress", ""),
clientInfo_s = column_ifexists("clientInfo_s", "")
| summarize
EventCount = count(),
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
ResourceList = make_set(Resource, 50),
OperationNameList = make_set(OperationName, 50),
RequestURLList = make_set(requestUri_s, 50),
ResourceId = max(ResourceId),
CallerIPList = make_set(CallerIPAddress, 50),
clientInfo_sList = make_set(clientInfo_s, 50),
CallerIPMax = max(CallerIPAddress)
by ResourceType, ResultType, identity_claim_appid_g, CallerObjectId, CallerObjectUPN
| where EventCount > EventCountThreshold
| project-reorder StartTime, EndTime, EventCount, ResourceId,ResourceType,identity_claim_appid_g, CallerObjectId, CallerObjectUPN, ResultType, ResourceList, OperationNameList, RequestURLList, CallerIPList, clientInfo_sList
| extend timestamp = EndTime
description: |
'Identifies mass secret retrieval from Azure Key Vault observed by a single user.
Mass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications.
You can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise'
kind: Scheduled
tactics:
- CredentialAccess
requiredDataConnectors:
- connectorId: AzureKeyVault
dataTypes:
- KeyVaultData
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Key Vault/Analytic Rules/KeyvaultMassSecretRetrieval.yaml
severity: Low
name: Mass secret retrieval from Azure Key Vault
triggerThreshold: 0
queryPeriod: 1d
query: |
let DistinctSecretsThreshold = 10;
let EventCountThreshold = 50;
// To avoid any False Positives, filtering using AppId is recommended.
// The AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.
// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.
let AllowedAppId = dynamic(["509e4652-da8d-478d-a730-e9d4a1996ca4","8cae6e77-e04e-42ce-b5cb-50d82bce26b1"]);
let OperationList = dynamic(["SecretGet", "KeyGet", "VaultGet"]);
AzureDiagnostics
| where OperationName in (OperationList) and ResourceType =~ "VAULTS"
| where not(identity_claim_appid_g in (AllowedAppId) and OperationName == 'VaultGet')
| extend
ResourceId,
ResultType = column_ifexists("ResultType", ""),
identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists("identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g", ""),
identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s = column_ifexists("identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s", ""),
identity_claim_oid_g = column_ifexists("identity_claim_oid_g", ""),
identity_claim_upn_s = column_ifexists("identity_claim_upn_s", "")
| extend
CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),
CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)
| as _Retrievals
| where CallerObjectId in (toscalar(
_Retrievals
| where ResultType == "Success"
| summarize Count = dcount(requestUri_s) by OperationName, CallerObjectId
| where Count > DistinctSecretsThreshold
| summarize make_set(CallerObjectId,10000)
))
| extend
requestUri_s = column_ifexists("requestUri_s", ""),
id_s = column_ifexists("id_s", ""),
CallerIPAddress = column_ifexists("CallerIPAddress", ""),
clientInfo_s = column_ifexists("clientInfo_s", "")
| summarize
EventCount = count(),
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
ResourceList = make_set(Resource, 50),
OperationNameList = make_set(OperationName, 50),
RequestURLList = make_set(requestUri_s, 50),
ResourceId = max(ResourceId),
CallerIPList = make_set(CallerIPAddress, 50),
clientInfo_sList = make_set(clientInfo_s, 50),
CallerIPMax = max(CallerIPAddress)
by ResourceType, ResultType, identity_claim_appid_g, CallerObjectId, CallerObjectUPN
| where EventCount > EventCountThreshold
| project-reorder StartTime, EndTime, EventCount, ResourceId,ResourceType,identity_claim_appid_g, CallerObjectId, CallerObjectUPN, ResultType, ResourceList, OperationNameList, RequestURLList, CallerIPList, clientInfo_sList
| extend timestamp = EndTime
relevantTechniques:
- T1003
id: 24f8c234-d1ff-40ec-8b73-96b17a3a9c1c
queryFrequency: 1d
status: Available
triggerOperator: gt
version: 1.0.8
entityMappings:
- entityType: Account
fieldMappings:
- columnName: CallerObjectId
identifier: Name
- entityType: IP
fieldMappings:
- columnName: CallerIPMax
identifier: Address