Threat Detection for Key Vault in Azure Security Center

From this article you may realize that you can enable Key Vault pricing tier in Azure Security Center. However you wouldn’t see it from Azure Portal UI.  Microsoft recently released Threat Detection for Azure Key Vault in Azure Security Center a few days ago in Public Preview. With this capability Azure Security Center could detect if a Key Vault is accessed from a TOR exit node, or any kind of anomalous activity on your key vault.

In this article, let’s try to simulate and see what you can get from the alert.

Below is list of alerts that Azure Security Center can detect for Azure Key Vault service.

AlertDescription
Access from a TOR exit node to a Key VaultThe Key Vault has been accessed by someone using the TOR IP anonymization system to hide their location. Malicious actors often try to hide their location when attempting to gain unauthorized access to internet-connected resources.
Suspicious policy change and secret query in a Key VaultA Key Vault policy change has been made and then operations to list and/or get secrets occurred. In addition, this operation pattern isn't normally performed by the user on this vault. This is highly indicative that the Key Vault is compromised and the secrets within have been stolen by a malicious actor.
Suspicious secret listing and query in a Key VaultA Secret List operation was followed by many Secret Get operations. Also, this operation pattern isn't normally performed by the user on this vault. This indicates that someone could be dumping the secrets stored in the Key Vault for potentially malicious purposes.
Unusual user-application pair accessed a Key VaultThe Key Vault has been accessed by a User-Application pairing that doesn't normally access it. This may be a legitimate access attempt (for example, following an infrastructure or code update). This is also a possible indication that your infrastructure is compromised and a malicious actor is trying to access your Key Vault.
Unusual application accessed a Key VaultThe Key Vault has been accessed by an Application that doesn't normally access it. This may be a legitimate access attempt (for example, following an infrastructure or code update). This is also a possible indication that your infrastructure is compromised and a malicious actor is trying to access your Key Vault.
Unusual user accessed a Key VaultThe Key Vault has been accessed by a User that doesn't normally access it. This may be a legitimate access attempt (for example, a new user needing access has joined the organization). This is also a possible indication that your infrastructure is compromised and a malicious actor is trying to access your Key Vault.
Unusual operation pattern in a Key VaultAn unusual set of Key Vault operations has been performed compared with historical data. Key Vault activity is typically the same over time. This may be a legitimate change in activity. Alternatively, your infrastructure might be compromised and further investigations are necessary.
High volume of operations in a Key VaultA larger volume of Key Vault operations has been performed compared with historical data. Key Vault activity is typically the same over time. This may be a legitimate change in activity. Alternatively, your infrastructure might be compromised and further investigations are necessary.
User accessed high volume of Key VaultsThe number of vaults that a user or application accesses has changed compared with historical data. Key Vault activity is typically the same over time. This may be a legitimate change in activity. Alternatively, your infrastructure might be compromised and further investigations are necessary.

The reference of this list is from here.

Enable Key Vault Threat Detection

You can go to Azure Security Center – Settings – Pricing tier to enable Key Vault.

You can deploy an ARM template here to enable it. The templates use Incremental mode so it allows you to update existing Azure Security Center.

You can use PowerShell with Az.Security module to enable Key Vault

Set-AzSecurityPricing -Name Keyvaults `
                      -PricingTier "Standard"

Audit Azure Security Center Pricing Tier

There are several ways to audit pricing tier. You can use script here to get all information about your Azure Security Center including pricing tier; or use Azure Resource Graph query.

securityresources
 | where type == "microsoft.security/pricings"
 | extend tier = properties.pricingTier
 | where name == "KeyVaults" 
 | project subscriptionId, name, tier

Resource Graph query is the fastest way to get the result but it doesn’t give you a friendly subscription name so you need to look up from your subscription list.

If using PowerShell, the following should help:

$pricing = Get-AzSecurityPricing | Where-Object {$_.Name -eq "KeyVaults"}
$pricing.PricingTier

Simulation

Most of the rules being supported are related to unusual and anomaly detection. Because we wouldn’t know about the algorithm as well as threshold that Microsoft is using so it is not easy to simulate to trigger the alert. The only alert that we could trigger is Access from a TOR exit node to a Key Vault. That said, you can use a Tor browser to log into Azure and then try to open Key Vault and check secret value or make an access policy change.

Wait some minutes or up to an hour to see the alert in Azure Security Center portal

Log Schema

To make sure we can build a detection as well as for incident response with Azure Logic App or so forth let’s look at how alert looks like. Below is the alert in JSON format when calling Azure Security Center alert API.

{
    "id": "/subscriptions/67d6179d-a88d-4ccd-8c33-4d3ff2e13349/resourceGroups/ags-dev-rg/providers/Microsoft.Security/locations/centralus/alerts/2518221083841138879_4f01cc23-4c5c-5468-9ca9-375b4de04162",
    "name": "2518221083841138879_4f01cc23-4c5c-5468-9ca9-375b4de04162",
    "type": "Microsoft.Security/Locations/alerts",
    "properties": {
        "vendorName": "Microsoft",
        "alertDisplayName": "PREVIEW - Access from a TOR exit node to a Key Vault",
        "alertName": "KV_TORAccess",
        "detectedTimeUtc": "2020-01-28T06:20:15.886112Z",
        "description": "While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.",
        "remediationSteps": "Please review your activity logs to determine if the access attempts that triggered this alert were legitimate. If you are concerned that these access attempts may not have been legitimate, please contact your security administrator and disable access policies to the user or application and rotate the secrets, keys, and passwords stored in this key vault.",
        "actionTaken": "Undefined",
        "reportedSeverity": "Medium",
        "compromisedEntity": "/subscriptions/67d6179d-a88d-4ccd-8c33-4d3ff2e13349/resourcegroups/ags-dev-rg/providers/microsoft.keyvault/vaults/ags-dev-kv",
        "associatedResource": "/subscriptions/67d6179d-a88d-4ccd-8c33-4d3ff2e13349/resourcegroups/ags-dev-rg/providers/microsoft.keyvault/vaults/ags-dev-kv",
        "subscriptionId": "67d6179d-a88d-4ccd-8c33-4d3ff2e13349",
        "instanceId": "4f01cc23-4c5c-5468-9ca9-375b4de04162",
        "extendedProperties": {
            "suspicious Operations": "[VaultPatch:4, VaultGet:2, SecretList:1]",
            "end Time UTC": "2020-01-28T06:21:55.7063180Z",
            "target": "https://ags-dev-kv.vault.azure.net/",
            "all vault operations in last 24 hours": "[VaultPut:2, SecretResourceGet:3, VaultPatch:4, VaultGet:10, SecretList:1, SecretResourcePut:3]",
            "attacker IP Address": "192.160.102.165",
            "start Time UTC": "2020-01-28 06:20:15.886112",
            "attacker Object ID": "f84a055f-2958-4186-bdc7-7e49bfec8cfa",
            "alert Reasons": "[The Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location.]",
            "upn": "linda.chung@azsec.net",
            "result Signature": "OK, Forbidden, ",
            "client Information": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0, Mozilla/5.0, ",
            "application ID": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c, 3686488a-04fc-4d8a-b967-61f98ec41efe",
            "resourceType": "Key Vault"
        },
        "state": "Active",
        "reportedTimeUtc": "2020-01-28T08:43:24.9560882Z",
        "workspaceArmId": "/subscriptions/67d6179d-a88d-4ccd-8c33-4d3ff2e13349/resourcegroups/azsec-corporate-rg/providers/microsoft.operationalinsights/workspaces/azsec-shared-workspace",
        "confidenceReasons": [],
        "canBeInvestigated": true,
        "isIncident": false,
        "entities": [
            {
                "$id": "centralus_1",
                "resourceId": "/subscriptions/67d6179d-a88d-4ccd-8c33-4d3ff2e13349/resourcegroups/ags-dev-rg/providers/microsoft.keyvault/vaults/ags-dev-kv",
                "type": "azure-resource"
            },
            {
                "$id": "centralus_2",
                "aadUserId": "f84a055f-2958-4186-bdc7-7e49bfec8cfa",
                "type": "account"
            },
            {
                "$id": "centralus_3",
                "address": "192.160.102.165",
                "location": {
                    "countryCode": "CA",
                    "countryName": "Canada",
                    "state": "Manitoba",
                    "city": "Winnipeg",
                    "longitude": -97.00116,
                    "latitude": 49.89346,
                    "asn": 395089
                },
                "type": "ip"
            }
        ]
    }
}

The alert provides the following useful information that would help you trace to what happened:

  • compromisedEntity: the Azure Key Vault that was accessed. It is in format of resource ID.
  • suspicious Operations: operation activity on the detected Vault such as Vault Patch (access policy modification), Secret List (list all secrets)
  • target: it is a key vault endpoint e.g https://keyvault.vault.azure.net
  • all vault operations in last 24 hours: it provides list of Operation activities for the last 24 hours.
  • attacker IP Address: the IP address where the request was originated from
  • start Time UTC: date and time when the request was started
  • attacker Object ID: it is the object ID of the user principal name.
  • upn: this shows you the user principal name which was used along with TOR.
  • client Information: it provides the user agent that was used to access to the Key vault.
  • application ID:

Log Analytics Query

If you write alert to a Log Analytics workspace, use the following query to get all alerts from Azure Key Vault threat detection

SecurityAlert
| where parse_json(ExtendedProperties).resourceType == "Key Vault"

And specific to Tor exit node detection, you could use the following one:

SecurityAlert
| where parse_json(ExtendedProperties).resourceType == "Key Vault" 
| where AlertType == "KV_TORAccess"

this is more advanced query to extract helpful information:

SecurityAlert
| where DisplayName == "PREVIEW - Access from a TOR exit node to a Key Vault" or 
        AlertType == "KV_TORAccess" 
| extend ResourceName = (tostring(split(ResourceId, "/")[8]))
| extend ResourceGroup = (tostring(split(ResourceId, "/")[4]))
| mvexpand VaultOperationWithin24hours =  parse_json(ExtendedProperties)['All vault operations in last 24 hours']
| mvexpand ApplicationId = parse_json(ExtendedProperties)['Application ID']
| extend AttackerIp = parse_json(ExtendedProperties)['Attacker IP Address']
| extend AttackerObjectId = parse_json(ExtendedProperties)['Attacker Object ID']
| extend ClientInfo = parse_json(ExtendedProperties)['Client Information']
| extend StartTime = parse_json(ExtendedProperties)['Start Time UTC']
| extend EndTime = parse_json(ExtendedProperties)['End Time UTC']
| mvexpand SuspiciousOperations = parse_json(ExtendedProperties)['Suspicious Operations']
| extend UPN = parse_json(ExtendedProperties)['UPN']
| extend City = parse_json(Entities)[2]['Location']['City']
| extend CountryName = parse_json(Entities)[2]['Location']['CountryName']
| extend State = parse_json(Entities)[2]['Location']['State']
| extend Latitude = parse_json(Entities)[2]['Location']['Latitude']
| extend Longitude = parse_json(Entities)[2]['Location']['Longitude']
| project TimeGenerated,
          ResourceName,
          ResourceGroup,
          VaultOperationWithin24hours,
          ApplicationId,
          AttackerIp,
          AttackerObjectId,
          ClientInfo,
          StartTime,
          EndTime,
          SuspiciousOperations,
          UPN,
          City,
          CountryName,
          State,
          Latitude,
          Longitude

Conclusion

Azure Key Vault threat detection is still in Public Preview. This feature may give you noisy alerts if your environment heavily uses Azure Key Vault.

Here are must-read references:

This entry was posted in Azure Security Center and tagged , . Bookmark the permalink.

Leave a Reply