
Summary
This detection rule, authored by Elastic, monitors for excessive retrieval operations of secrets or keys from Azure Key Vault. It is designed to identify instances where a user principal retrieves secrets or keys multiple times in quick succession, potentially indicating unauthorized access or credential harvesting activities. The rule operates by evaluating Azure Key Vault logs, specifically targeting high-frequency read operations associated with keys, secrets, or certificates. If a user or application exceeds a predefined threshold of retrieval requests within a short time frame, this may signify suspicious behavior warranting further investigation. The rule is configured to minimize false positives arising from legitimate automated processes or administrative tasks that might trigger numerous retrieval requests. Users can analyze metadata such as user principal, application identification, and retrieval timings to discern normal from anomalous behavior, with specific instructions provided for triaging suspected incidents. This comprehensive approach ensures ongoing monitoring for potential security incidents involving sensitive data within Azure environments.
Categories
- Cloud
- Azure
- Kubernetes
Data Sources
- Cloud Service
- Application Log
- Network Traffic
- User Account
- Malware Repository
ATT&CK Techniques
- T1555
- T1555.006
Created: 2025-07-10