Detectionmediumtest
Rare Subscription-level Operations In Azure
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Azureactivitylogs
ProductAzure← raw: azure
Serviceactivitylogs← raw: activitylogs
Detection Logic
Detection Logic1 selector
detection:
keywords:
- Microsoft.DocumentDB/databaseAccounts/listKeys/action
- Microsoft.Maps/accounts/listKeys/action
- Microsoft.Media/mediaservices/listKeys/action
- Microsoft.CognitiveServices/accounts/listKeys/action
- Microsoft.Storage/storageAccounts/listKeys/action
- Microsoft.Compute/snapshots/write
- Microsoft.Network/networkSecurityGroups/write
condition: keywordsFalse Positives
Valid change
References
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
c1182e02-49a3-481c-b3de-0fadc4091488
Status
test
Level
medium
Type
Detection
Created
Thu May 07
Modified
Wed Oct 11
Author
Path
rules/cloud/azure/activity_logs/azure_rare_operations.yml
Raw Tags
attack.t1003attack.credential-access