it's recommended that you rotate your access keys periodically to help keep your storage account secure. normal key rotation can be exempted from the rule. an abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated.

t1528
azure
elastic

Techniques

T1528

Sample rules

Azure Storage Account Key Regenerated

source: elastic
technicques:
- T1528

Description

Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.

Detection logic

event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success)