authorization rule additions or modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. authorization rule additions or modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

T1530
t1537
azure
elastic

Techniques

T1530
T1537

Sample rules

Azure Event Hub Authorization Rule Created or Updated

source: elastic
technicques:
- T1530
- T1537

Description

Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it’s recommended that you treat this rule like an administrative root account and don’t use it in your application.

Detection logic

event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success)