nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml

@@ -0,0 +1,179 @@
+[metadata]
+creation_date = "2024/12/11"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/09/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password
+(TOTP) verification codes. This rule detects high frequency failed TOTP code attempts for a single user in a short
+time-span with a high number of distinct session IDs. Adversaries may programmatically attemopt to brute-force TOTP
+codes by generating several sessions and attempt to guess the correct code.
+"""
+false_positives = [
+    """
+    Based on the high-frequency threshold, it would be unlikely for a legitimate user to exceed the threshold for failed
+    TOTP code attempts in a short time-span over multiple sessions.
+    """,
+]
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "Microsoft Entra ID MFA TOTP Brute Force Attempts"
+note = """## Triage and analysis
+
+### Investigating Microsoft Entra ID MFA TOTP Brute Force Attempts
+
+This rule detects brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. It identifies high-frequency failed TOTP code attempts for a single user in a short time-span with a high number of distinct session IDs. Adversaries may programmatically attempt to brute-force TOTP codes by generating several sessions and attempting to guess the correct code.
+
+#### Possible Investigation Steps:
+
+    - Check the source addresses associated with the failed TOTP attempts.
+    - Determine if the source IP address is consistent with the user’s typical login locations.
+    - Look for unusual geographic patterns or anomalous IP addresses (e.g., proxies, VPNs, or locations outside the user’s normal activity).
+    - Review the error code associated with the failed attempts. This can help identify if the failures are due to incorrect TOTP codes or other issues.
+    - Verify that that auth metho reported is `OAth` as it indicates the use of TOTP codes.
+    - Pivot into signin logs for the target user and check if auth via TOTP was successful which would indicate a successful brute force attempt.
+    - Review conditional access policies applied to the user or group as reported by the sign-in logs.
+    - Analyze the client application ID and display name to determine if the attempts are coming from a legitimate application or a potentially malicious script.
+        - Adversaries may use legitimate FOCI applications to bypass security controls or make login attempts appear legitimate.
+    - Review the resource ID access is being attempted against such as MyApps, Microsoft Graph, or other resources. This can help identify if the attempts are targeting specific applications or services.
+    - The correlation IDs or session IDs can be used to trace the authentication attempts across different logs or systems. Note that for this specific behavior, unique session ID count is high and could be challenging to correlate.
+
+#### False Positive Analysis:
+
+    - Verify if the failed attempts could result from the user’s unfamiliarity with TOTP codes or issues with device synchronization.
+    - Check if the user recently switched MFA methods or devices, which could explain multiple failures.
+    - Determine if this is whitebox testing or a developer testing MFA integration.
+
+#### Response and Remediation:
+
+    - If proven malicious, lock the affected account temporarily to prevent further unauthorized attempts.
+    - Notify the user of suspicious activity and validate their access to the account.
+    - Reset passwords and MFA settings for the affected user to prevent unauthorized access while communicating with the user.
+    - Ensure conditional access policies are configured to monitor and restrict anomalous login behavior.
+    - Consider a different MFA method or additional security controls to prevent future bypass attempts.
+    - Implement additional monitoring to track high-frequency authentication failures across the environment.
+    - Audit historical logs for similar patterns involving other accounts to identify broader threats.
+    - Provide guidance on the secure use of MFA and the importance of recognizing and reporting suspicious activity.
+"""
+references = [
+    "https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass",
+    "https://learn.microsoft.com/en-us/entra/identity/",
+    "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins",
+]
+risk_score = 47
+rule_id = "3fac01b2-b811-11ef-b25b-f661ea17fbce"
+setup = """#### Required Entra ID Sign-In Logs
+This rule requires the Entra ID sign-in logs via the Azure integration be enabled. In Entra ID, sign-in logs must be enabled and streaming to the Event Hub used for the Entra ID logs integration.
+"""
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Domain: Identity",
+    "Data Source: Azure",
+    "Data Source: Entra ID",
+    "Data Source: Entra ID Sign-in logs",
+    "Use Case: Identity and Access Audit",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-azure.signinlogs-* metadata _id, _version, _index
+
+| where
+    // filter for Entra Sign-in Logs
+    event.dataset == "azure.signinlogs"
+    and azure.signinlogs.operation_name == "Sign-in activity"
+    and azure.signinlogs.properties.user_type == "Member"
+
+    // filter for MFA attempts with OATH conditional access attempts or TOTP
+    and azure.signinlogs.properties.mfa_detail.auth_method == "OATH verification code"
+
+    // filter on failures only from brute-force attempts
+    and (
+            (
+                azure.signinlogs.result_signature == "FAILURE" and
+                azure.signinlogs.result_description == "Authentication failed during strong authentication request."
+            ) or azure.signinlogs.properties.status.error_code == 500121
+        )
+
+| stats
+    Esql.event_count = count(*),
+    Esql.azure_signinlogs_properties_session_id_count_distinct = count_distinct(azure.signinlogs.properties.session_id),
+    Esql.source_address_values = values(source.address),
+    Esql.azure_tenant_id_valuues = values(azure.tenant_id),
+    Esql_priv.azure_identity_values = values(azure.signinlogs.identity),
+    Esql_priv.azure_signinlogs_properties_user_principal_name_values = values(azure.signinlogs.properties.user_principal_name),
+    Esql.azure_signinlogs_properties_app_id_values = values(azure.signinlogs.properties.app_id),
+    Esql.azure_signinlogs_properties_app_display_name_values = values(azure.signinlogs.properties.app_display_name),
+    Esql.azure_signinlogs_properties_authentication_requirement_values = values(azure.signinlogs.properties.authentication_requirement),
+    Esql.azure_signinlogs_properties_authentication_protocol_values = values(azure.signinlogs.properties.authentication_protocol),
+    Esql.azure_signinlogs_properties_client_app_used_values = values(azure.signinlogs.properties.client_app_used),
+    Esql.azure_signinlogs_properties_client_credential_type_values = values(azure.signinlogs.properties.client_credential_type),
+    Esql.azure_signinlogs_properties_conditional_access_status_values = values(azure.signinlogs.properties.conditional_access_status),
+    Esql.azure_signinlogs_properties_correlation_id_values = values(azure.signinlogs.properties.correlation_id),
+    Esql.azure_signinlogs_properties_is_interactive_values = values(azure.signinlogs.properties.is_interactive),
+    Esql.azure_signinlogs_properties_mfa_detail_auth_method_values = values(azure.signinlogs.properties.mfa_detail.auth_method),
+    Esql.azure_signinlogs_properties_resource_display_name_values = values(azure.signinlogs.properties.resource_display_name),
+    Esql.azure_signinlogs_properties_resource_id_values = values(azure.signinlogs.properties.resource_id),
+    Esql.azure_signinlogs_properties_risk_state_values = values(azure.signinlogs.properties.risk_state),
+    Esql.azure_signinlogs_properties_risk_detail_values = values(azure.signinlogs.properties.risk_detail),
+    Esql.azure_signinlogs_properties_status_error_code_values = values(azure.signinlogs.properties.status.error_code),
+    Esql.azure_signinlogs_properties_original_request_id_values = values(azure.signinlogs.properties.original_request_id),
+    Esql.user_id_values = values(user.id)
+    by user.id
+
+| where Esql.event_count >= 20 and Esql.azure_signinlogs_properties_session_id_count_distinct >= 10
+
+| keep
+    Esql.event_count,
+    Esql.azure_signinlogs_properties_session_id_count_distinct,
+    Esql.source_address_values,
+    Esql.azure_tenant_id_valuues,
+    Esql_priv.azure_identity_values,
+    Esql_priv.azure_signinlogs_properties_user_principal_name_values,
+    Esql.azure_signinlogs_properties_app_id_values,
+    Esql.azure_signinlogs_properties_app_display_name_values,
+    Esql.azure_signinlogs_properties_authentication_requirement_values,
+    Esql.azure_signinlogs_properties_authentication_protocol_values,
+    Esql.azure_signinlogs_properties_client_app_used_values,
+    Esql.azure_signinlogs_properties_client_credential_type_values,
+    Esql.azure_signinlogs_properties_conditional_access_status_values,
+    Esql.azure_signinlogs_properties_correlation_id_values,
+    Esql.azure_signinlogs_properties_is_interactive_values,
+    Esql.azure_signinlogs_properties_mfa_detail_auth_method_values,
+    Esql.azure_signinlogs_properties_resource_display_name_values,
+    Esql.azure_signinlogs_properties_resource_id_values,
+    Esql.azure_signinlogs_properties_risk_state_values,
+    Esql.azure_signinlogs_properties_risk_detail_values,
+    Esql.azure_signinlogs_properties_status_error_code_values,
+    Esql.azure_signinlogs_properties_original_request_id_values,
+    Esql.user_id_values
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1110"
+name = "Brute Force"
+reference = "https://attack.mitre.org/techniques/T1110/"
+[[rule.threat.technique.subtechnique]]
+id = "T1110.001"
+name = "Password Guessing"
+reference = "https://attack.mitre.org/techniques/T1110/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml

@@ -0,0 +1,96 @@
+[metadata]
+creation_date = "2021/08/12"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/09/26"
+
+[rule]
+author = ["Austin Songer"]
+description = """
+Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can
+be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted
+internal traffic.
+"""
+false_positives = [
+    """
+    Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user
+    agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar
+    users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
+    rule.
+    """,
+]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Azure Full Network Packet Capture Detected"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Azure Full Network Packet Capture Detected
+
+Azure's Packet Capture is a feature of Network Watcher that allows for the inspection of network traffic, useful for diagnosing network issues. However, if misused, it can capture sensitive data from unencrypted traffic, posing a security risk. Adversaries might exploit this to access credentials or other sensitive information. The detection rule identifies suspicious packet capture activities by monitoring specific Azure activity logs for successful operations, helping to flag potential misuse.
+
+### Possible investigation steps
+
+- Review the Azure activity logs to identify the specific user or service principal associated with the packet capture operation by examining the `azure.activitylogs.operation_name` and `event.dataset` fields.
+- Check the timestamp of the detected packet capture activity to determine the exact time frame of the event and correlate it with any other suspicious activities or changes in the environment.
+- Investigate the source and destination IP addresses involved in the packet capture to understand the scope and potential impact, focusing on any unencrypted traffic that might have been captured.
+- Verify the legitimacy of the packet capture request by contacting the user or team responsible for the operation to confirm if it was authorized and necessary for troubleshooting or other legitimate purposes.
+- Assess the risk of exposed sensitive data by identifying any critical systems or services that were part of the captured network traffic, especially those handling credentials or personal information.
+
+### False positive analysis
+
+- Routine network diagnostics by authorized personnel can trigger the rule. To manage this, create exceptions for specific user accounts or IP addresses known to perform regular diagnostics.
+- Automated network monitoring tools might initiate packet captures as part of their normal operations. Identify these tools and exclude their activities from triggering alerts.
+- Scheduled maintenance activities often involve packet captures for performance analysis. Document these schedules and configure the rule to ignore captures during these periods.
+- Development and testing environments may frequently use packet capture for debugging purposes. Exclude these environments by filtering based on resource tags or environment identifiers.
+- Legitimate security audits may involve packet capture to assess network security. Coordinate with the audit team to whitelist their activities during the audit period.
+
+### Response and remediation
+
+- Immediately isolate the affected network segment to prevent further unauthorized packet capture and potential data exfiltration.
+- Revoke any suspicious or unauthorized access to Azure Network Watcher and related resources to prevent further misuse.
+- Conduct a thorough review of the captured network traffic logs to identify any sensitive data exposure and assess the potential impact.
+- Reset credentials and access tokens for any accounts or services that may have been compromised due to exposed unencrypted traffic.
+- Implement network encryption protocols to protect sensitive data in transit and reduce the risk of future packet capture exploitation.
+- Escalate the incident to the security operations team for further investigation and to determine if additional security measures are necessary.
+- Enhance monitoring and alerting for Azure Network Watcher activities to detect and respond to similar threats more effectively in the future.
+
+## Setup
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"]
+risk_score = 47
+rule_id = "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f"
+severity = "medium"
+tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
+    (
+        MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION or
+        MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION or
+        MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE
+    ) and
+event.outcome:(Success or success)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1040"
+name = "Network Sniffing"
+reference = "https://attack.mitre.org/techniques/T1040/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml

@@ -0,0 +1,193 @@
+[metadata]
+creation_date = "2025/07/10"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/10/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies excessive secret or key retrieval operations from Azure Key Vault. This rule detects when a user principal
+retrieves secrets or keys from Azure Key Vault multiple times within a short time frame, which may indicate potential
+abuse or unauthorized access attempts. The rule focuses on high-frequency retrieval operations that deviate from normal
+user behavior, suggesting possible credential harvesting or misuse of sensitive information.
+"""
+false_positives = [
+    """
+    Service accounts or applications that frequently access Azure Key Vault for configuration or operational purposes
+    may trigger this rule.
+    """,
+    """
+    Automated scripts or processes that retrieve secrets or keys for legitimate purposes, such as secret rotation or
+    application configuration, may also lead to false positives.
+    """,
+    """
+    Security teams performing routine audits or assessments that involve retrieving keys or secrets from Key Vaults may
+    trigger this rule if they perform multiple retrievals in a short time frame.
+    """,
+]
+from = "now-9m"
+interval = "8m"
+language = "esql"
+license = "Elastic License v2"
+name = "Excessive Secret or Key Retrieval from Azure Key Vault"
+note = """## Triage and analysis
+
+### Investigating Excessive Secret or Key Retrieval from Azure Key Vault
+
+Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts.
+
+### Possible investigation steps
+- Review the `azure.platformlogs.identity.claim.upn` field to identify the user principal making the retrieval requests. This can help determine if the activity is legitimate or suspicious.
+- Check the `azure.platformlogs.identity.claim.appid` or `azure.platformlogs.identity.claim.appid_display_name` to identify the application or service making the requests. If the application is not recognized or authorized, it may indicate a potential security incident. It is plausible that the application is a FOCI compliant application, which are commonly abused by adversaries to evade security controls or conditional access policies.
+- Analyze the `azure.platformlogs.resource.name` field to determine which Key Vault is being accessed. This can help assess the impact of the retrieval operations and whether they target sensitive resources.
+- Review the `event.action` field to confirm the specific actions being performed, such as `KeyGet`, `SecretGet`, or `CertificateGet`. These actions indicate retrieval of keys, secrets, or certificates from the Key Vault.
+- Check the `source.ip` or `source.geo.*` fields to identify the source of the retrieval requests. Look for unusual or unexpected IP addresses, especially those associated with known malicious activity or geographic locations that do not align with the user's typical behavior.
+- Use the `time_window` field to analyze the frequency of retrieval operations. If multiple retrievals occur within a short time frame (e.g., within a few minutes), it may indicate excessive or suspicious activity.
+- Correlate the retrieval operations with other security events or alerts in the environment to identify any patterns or related incidents.
+- Triage the user with Entra ID sign-in logs to gather more context about their authentication behavior and any potential anomalies.
+
+### False positive analysis
+- Routine administrative tasks or automated scripts may trigger excessive retrievals, especially in environments where Key Vaults are heavily utilized for application configurations or secrets management. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
+- Legitimate applications or services may perform frequent retrievals of keys or secrets for operational purposes, such as configuration updates or secret rotation. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
+- Security teams may perform periodic audits or assessments that involve retrieving keys or secrets from Key Vaults. If this is expected behavior, consider adjusting the rule or adding exceptions for specific user principals or applications.
+- Some applications may require frequent access to keys or secrets for normal operation, leading to high retrieval counts. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
+
+### Response and remediation
+- Investigate the user principal making the excessive retrieval requests to determine if they are authorized to access the Key Vault and its contents. If the user is not authorized, take appropriate actions to block their access and prevent further unauthorized retrievals.
+- Review the application or service making the requests to ensure it is legitimate and authorized to access the Key Vault. If the application is unauthorized or suspicious, consider blocking it and revoking its permissions to access the Key Vault.
+- Assess the impact of the excessive retrieval operations on the Key Vault and its contents. Determine if any sensitive data was accessed or compromised during the retrievals.
+- Implement additional monitoring and alerting for the Key Vault to detect any further suspicious activity or unauthorized access attempts.
+- Consider implementing stricter access controls or policies for Key Vaults to limit excessive retrievals and ensure that only authorized users and applications can access sensitive keys and secrets.
+- Educate users and administrators about the risks associated with excessive retrievals from Key Vaults and encourage them to follow best practices for managing keys and secrets in Azure environments.
+"""
+references = ["https://www.inversecos.com/2022/05/detection-and-compromise-azure-key.html"]
+risk_score = 43
+rule_id = "c07f7898-5dc3-11f0-9f27-f661ea17fbcd"
+setup = """#### Required Azure Key Vault Diagnostic Logs
+
+To ensure this rule functions correctly, the following diagnostic logs must be enabled for Azure Key Vault:
+- AuditEvent: This log captures all read and write operations performed on the Key Vault, including secret, key, and certificate retrievals. These logs should be streamed to the Event Hub used for the Azure integration configuration.
+"""
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Domain: Storage",
+    "Domain: Identity",
+    "Data Source: Azure",
+    "Data Source: Azure Platform Logs",
+    "Data Source: Azure Key Vault",
+    "Use Case: Threat Detection",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Credential Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-azure.platformlogs-* metadata _id, _index
+
+// Filter for Azure Key Vault read operations
+| where event.dataset == "azure.platformlogs"
+  and event.action in (
+    "VaultGet",
+    "KeyGet",
+    "KeyList",
+    "KeyListVersions",
+    "KeyGetDeleted",
+    "KeyListDeleted",
+    "SecretGet",
+    "SecretList",
+    "SecretListVersions",
+    "SecretGetDeleted",
+    "SecretListDeleted",
+    "CertificateGet",
+    "CertificateList",
+    "CertificateListVersions",
+    "CertificateGetDeleted",
+    "CertificateListDeleted",
+    "CertificatePolicyGet",
+    "CertificateContactsGet",
+    "CertificateIssuerGet",
+    "CertificateIssuersList"
+  )
+
+// Truncate timestamps into 1-minute windows
+| eval Esql.time_window_date_trunc = date_trunc(1 minute, @timestamp)
+
+// Aggregate identity, geo, resource, and activity info
+| stats
+    Esql_priv.azure_platformlogs_identity_claim_upn_values = values(azure.platformlogs.identity.claim.upn),
+    Esql.azure_platformlogs_identity_claim_upn_count_distinct = count_distinct(azure.platformlogs.identity.claim.upn),
+    Esql.azure_platformlogs_identity_claim_appid_values = values(azure.platformlogs.identity.claim.appid),
+
+    Esql.source_ip_values = values(source.ip),
+    Esql.source_geo_city_values = values(source.geo.city_name),
+    Esql.source_geo_region_values = values(source.geo.region_name),
+    Esql.source_geo_country_values = values(source.geo.country_name),
+    Esql.source_as_organization_name_values = values(source.as.organization.name),
+
+    Esql.event_action_values = values(event.action),
+    Esql.event_count = count(*),
+    Esql.event_action_count_distinct = count_distinct(event.action),
+    Esql.azure_resource_name_count_distinct = count_distinct(azure.resource.name),
+    Esql.azure_resource_name_values = values(azure.resource.name),
+    Esql.azure_platformlogs_result_type_values = values(azure.platformlogs.result_type),
+    Esql.cloud_region_values = values(cloud.region),
+
+    Esql.agent_name_values = values(agent.name),
+    Esql.azure_subscription_id_values = values(azure.subscription_id),
+    Esql.azure_resource_group_values = values(azure.resource.group),
+    Esql.azure_resource_id_values = values(azure.resource.id)
+
+by Esql.time_window_date_trunc, azure.platformlogs.identity.claim.upn
+
+// keep relevant fields
+| keep
+    Esql.time_window_date_trunc,
+    Esql_priv.azure_platformlogs_identity_claim_upn_values,
+    Esql.azure_platformlogs_identity_claim_upn_count_distinct,
+    Esql.azure_platformlogs_identity_claim_appid_values,
+    Esql.source_ip_values,
+    Esql.source_geo_city_values,
+    Esql.source_geo_region_values,
+    Esql.source_geo_country_values,
+    Esql.source_as_organization_name_values,
+    Esql.event_action_values,
+    Esql.event_count,
+    Esql.event_action_count_distinct,
+    Esql.azure_resource_name_count_distinct,
+    Esql.azure_resource_name_values,
+    Esql.azure_platformlogs_result_type_values,
+    Esql.cloud_region_values,
+    Esql.agent_name_values,
+    Esql.azure_subscription_id_values,
+    Esql.azure_resource_group_values,
+    Esql.azure_resource_id_values
+
+// Filter for suspiciously high volume of distinct Key Vault reads by a single actor
+| where Esql.azure_platformlogs_identity_claim_upn_count_distinct == 1 and Esql.event_count >= 10 and Esql.event_action_count_distinct >= 2
+
+| sort Esql.time_window_date_trunc desc
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+[[rule.threat.technique.subtechnique]]
+id = "T1555.006"
+name = "Cloud Secrets Management Stores"
+reference = "https://attack.mitre.org/techniques/T1555/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml

@@ -0,0 +1,142 @@
+[metadata]
+creation_date = "2025/07/10"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/07/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies secrets, keys, or certificates retrieval operations from Azure Key Vault by a user principal that has not
+been seen previously doing so in a certain amount of days. Azure Key Vault is a cloud service for securely storing and accessing secrets,
+keys, and certificates. Unauthorized or excessive retrievals may indicate potential abuse or unauthorized access
+attempts.
+"""
+false_positives = [
+    """
+    Service accounts or applications that frequently access Azure Key Vault for configuration or operational purposes
+    may trigger this rule.
+    """,
+    """
+    Automated scripts or processes that retrieve secrets or keys for legitimate purposes, such as secret rotation or
+    application configuration, may also lead to false positives.
+    """,
+    """
+    Security teams performing routine audits or assessments that involve retrieving keys or secrets from Key Vaults may
+    trigger this rule if they perform multiple retrievals in a short time frame.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-azure.platformlogs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Azure Key Vault Secret Key Usage by Unusual Identity"
+note = """## Triage and analysis
+
+### Investigating Azure Key Vault Secret Key Usage by Unusual Identity
+
+Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts.
+
+### Possible investigation steps
+- Review the `azure.platformlogs.identity.claim.upn` field to identify the user principal making the retrieval requests. This can help determine if the activity is legitimate or suspicious.
+- Check the `azure.platformlogs.identity.claim.appid` or `azure.platformlogs.identity.claim.appid_display_name` to identify the application or service making the requests. If the application is not recognized or authorized, it may indicate a potential security incident. It is plausible that the application is a FOCI compliant application, which are commonly abused by adversaries to evade security controls or conditional access policies.
+- Analyze the `azure.platformlogs.resource.name` field to determine which Key Vault is being accessed. This can help assess the impact of the retrieval operations and whether they target sensitive resources.
+- Review the `event.action` field to confirm the specific actions being performed, such as `KeyGet`, `SecretGet`, or `CertificateGet`. These actions indicate retrieval of keys, secrets, or certificates from the Key Vault.
+- Check the `source.ip` or `geo.*` fields to identify the source of the retrieval requests. Look for unusual or unexpected IP addresses, especially those associated with known malicious activity or geographic locations that do not align with the user's typical behavior.
+- Use the `time_window` field to analyze the frequency of retrieval operations. If multiple retrievals occur within a short time frame (e.g., within a few minutes), it may indicate excessive or suspicious activity.
+- Correlate the retrieval operations with other security events or alerts in the environment to identify any patterns or related incidents.
+- Triage the user with Entra ID sign-in logs to gather more context about their authentication behavior and any potential anomalies.
+
+### False positive analysis
+- Routine administrative tasks or automated scripts may trigger excessive retrievals, especially in environments where Key Vaults are heavily utilized for application configurations or secrets management. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
+- Legitimate applications or services may perform frequent retrievals of keys or secrets for operational purposes, such as configuration updates or secret rotation. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
+- Security teams may perform periodic audits or assessments that involve retrieving keys or secrets from Key Vaults. If this is expected behavior, consider adjusting the rule or adding exceptions for specific user principals or applications.
+- Some applications may require frequent access to keys or secrets for normal operation, leading to high retrieval counts. If this is expected behavior, consider adjusting the rule or adding exceptions for specific applications or user principals.
+
+### Response and remediation
+- Investigate the user principal making the excessive retrieval requests to determine if they are authorized to access the Key Vault and its contents. If the user is not authorized, take appropriate actions to block their access and prevent further unauthorized retrievals.
+- Review the application or service making the requests to ensure it is legitimate and authorized to access the Key Vault. If the application is unauthorized or suspicious, consider blocking it and revoking its permissions to access the Key Vault.
+- Assess the impact of the excessive retrieval operations on the Key Vault and its contents. Determine if any sensitive data was accessed or compromised during the retrievals.
+- Implement additional monitoring and alerting for the Key Vault to detect any further suspicious activity or unauthorized access attempts.
+- Consider implementing stricter access controls or policies for Key Vaults to limit excessive retrievals and ensure that only authorized users and applications can access sensitive keys and secrets.
+- Educate users and administrators about the risks associated with excessive retrievals from Key Vaults and encourage them to follow best practices for managing keys and secrets in Azure environments.
+"""
+references = ["https://www.inversecos.com/2022/05/detection-and-compromise-azure-key.html"]
+risk_score = 43
+rule_id = "75c53838-5dcd-11f0-829c-f661ea17fbcd"
+setup = """#### Required Azure Key Vault Diagnostic Logs
+
+To ensure this rule functions correctly, the following diagnostic logs must be enabled for Azure Key Vault:
+- AuditEvent: This log captures all read and write operations performed on the Key Vault, including secret, key, and certificate retrievals. These logs should be streamed to the Event Hub used for the Azure integration configuration.
+"""
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Domain: Storage",
+    "Domain: Identity",
+    "Data Source: Azure",
+    "Data Source: Azure Platform Logs",
+    "Data Source: Azure Key Vault",
+    "Use Case: Threat Detection",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Credential Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset : "azure.platformlogs" and
+event.outcome: "success" and
+event.action : (
+    "VaultGet" or
+    "KeyGet" or
+    "KeyList" or
+    "KeyListVersions" or
+    "KeyGetDeleted" or
+    "KeyListDeleted" or
+    "SecretGet" or
+    "SecretList" or
+    "SecretListVersions" or
+    "SecretGetDeleted" or
+    "SecretListDeleted" or
+    "CertificateGet" or
+    "CertificateList" or
+    "CertificateListVersions" or
+    "CertificateGetDeleted" or
+    "CertificateListDeleted" or
+    "CertificatePolicyGet" or
+    "CertificateContactsGet" or
+    "CertificateIssuerGet" or
+    "CertificateIssuersList"
+) and azure.platformlogs.identity.claim.upn: * and azure.platformlogs.properties.id: *
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+[[rule.threat.technique.subtechnique]]
+id = "T1555.006"
+name = "Cloud Secrets Management Stores"
+reference = "https://attack.mitre.org/techniques/T1555/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["azure.platformlogs.identity.claim.upn","azure.platformlogs.properties.id"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
+
+