Elastic Security Detection Rules

Azure Event Hub Authorization Rule Created or Updated

Last updated 7 months ago on 2025-01-15
Created 5 years ago on 2020-08-18

About

Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.
Tags
Domain: CloudData Source: AzureUse Case: Log AuditingTactic: CollectionLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Collection (TA0009)(opens in a new tab or window)

Data from Cloud Storage (T1530)(opens in a new tab or window)

Exfiltration (TA0010)(opens in a new tab or window)

Transfer Data to Cloud Account (T1537)(opens in a new tab or window)

False Positive Examples
Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-azure*
Related Integrations

azure(opens in a new tab or window)

Query
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success)

Install detection rules in Elastic Security

Detect Azure Event Hub Authorization Rule Created or Updated in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).