security teams performing routine audits or assessments that involve retrieving keys or secrets from key vaults may trigger this rule if they perform multiple retrievals in a short time frame.

Techniques

T1555

Sample rules

Azure Key Vault Secret Key Usage by Unusual Identity

source: elastic
technicques:
- T1555

Description

Identifies secrets, keys, or certificates retrieval operations from Azure Key Vault by a user principal that has not been seen previously doing so in a certain amount of days. Azure Key Vault is a cloud service for securely storing and accessing secrets, keys, and certificates. Unauthorized or excessive retrievals may indicate potential abuse or unauthorized access attempts.

Detection logic

event.dataset : "azure.platformlogs" and
event.outcome: "success" and
event.action : (
    "VaultGet" or
    "KeyGet" or
    "KeyList" or
    "KeyListVersions" or
    "KeyGetDeleted" or
    "KeyListDeleted" or
    "SecretGet" or
    "SecretList" or
    "SecretListVersions" or
    "SecretGetDeleted" or
    "SecretListDeleted" or
    "CertificateGet" or
    "CertificateList" or
    "CertificateListVersions" or
    "CertificateGetDeleted" or
    "CertificateListDeleted" or
    "CertificatePolicyGet" or
    "CertificateContactsGet" or
    "CertificateIssuerGet" or
    "CertificateIssuersList"
) and azure.platformlogs.identity.claim.upn: * and azure.platformlogs.properties.id: *

Excessive Secret or Key Retrieval from Azure Key Vault

source: elastic
technicques:
- T1555

Description

Identifies excessive secret or key retrieval operations from Azure Key Vault. This rule detects when a user principal retrieves secrets or keys from Azure Key Vault multiple times within a short time frame, which may indicate potential abuse or unauthorized access attempts. The rule focuses on high-frequency retrieval operations that deviate from normal user behavior, suggesting possible credential harvesting or misuse of sensitive information.

Detection logic

from logs-azure.platformlogs-* metadata _id, _index

// Filter for Azure Key Vault read operations
| where event.dataset == "azure.platformlogs"
  and event.action in (
    "VaultGet",
    "KeyGet",
    "KeyList",
    "KeyListVersions",
    "KeyGetDeleted",
    "KeyListDeleted",
    "SecretGet",
    "SecretList",
    "SecretListVersions",
    "SecretGetDeleted",
    "SecretListDeleted",
    "CertificateGet",
    "CertificateList",
    "CertificateListVersions",
    "CertificateGetDeleted",
    "CertificateListDeleted",
    "CertificatePolicyGet",
    "CertificateContactsGet",
    "CertificateIssuerGet",
    "CertificateIssuersList"
  )

// Truncate timestamps into 1-minute windows
| eval Esql.time_window_date_trunc = date_trunc(1 minute, @timestamp)

// Aggregate identity, geo, resource, and activity info
| stats
    Esql_priv.azure_platformlogs_identity_claim_upn_values = values(azure.platformlogs.identity.claim.upn),
    Esql.azure_platformlogs_identity_claim_upn_count_distinct = count_distinct(azure.platformlogs.identity.claim.upn),
    Esql.azure_platformlogs_identity_claim_appid_values = values(azure.platformlogs.identity.claim.appid),

    Esql.source_ip_values = values(source.ip),
    Esql.source_geo_city_values = values(source.geo.city_name),
    Esql.source_geo_region_values = values(source.geo.region_name),
    Esql.source_geo_country_values = values(source.geo.country_name),
    Esql.source_as_organization_name_values = values(source.as.organization.name),

    Esql.event_action_values = values(event.action),
    Esql.event_count = count(*),
    Esql.event_action_count_distinct = count_distinct(event.action),
    Esql.azure_resource_name_count_distinct = count_distinct(azure.resource.name),
    Esql.azure_resource_name_values = values(azure.resource.name),
    Esql.azure_platformlogs_result_type_values = values(azure.platformlogs.result_type),
    Esql.cloud_region_values = values(cloud.region),

    Esql.agent_name_values = values(agent.name),
    Esql.azure_subscription_id_values = values(azure.subscription_id),
    Esql.azure_resource_group_values = values(azure.resource.group),
    Esql.azure_resource_id_values = values(azure.resource.id)

by Esql.time_window_date_trunc, azure.platformlogs.identity.claim.upn

// keep relevant fields
| keep
    Esql.time_window_date_trunc,
    Esql_priv.azure_platformlogs_identity_claim_upn_values,
    Esql.azure_platformlogs_identity_claim_upn_count_distinct,
    Esql.azure_platformlogs_identity_claim_appid_values,
    Esql.source_ip_values,
    Esql.source_geo_city_values,
    Esql.source_geo_region_values,
    Esql.source_geo_country_values,
    Esql.source_as_organization_name_values,
    Esql.event_action_values,
    Esql.event_count,
    Esql.event_action_count_distinct,
    Esql.azure_resource_name_count_distinct,
    Esql.azure_resource_name_values,
    Esql.azure_platformlogs_result_type_values,
    Esql.cloud_region_values,
    Esql.agent_name_values,
    Esql.azure_subscription_id_values,
    Esql.azure_resource_group_values,
    Esql.azure_resource_id_values

// Filter for suspiciously high volume of distinct Key Vault reads by a single actor
| where Esql.azure_platformlogs_identity_claim_upn_count_distinct == 1 and Esql.event_count >= 10 and Esql.event_action_count_distinct >= 2

| sort Esql.time_window_date_trunc desc