[Rule Tuning] Azure Key Vault Modified #4895
Description
Summary
The Azure Key Vault Modified rule needs tuning for noise and to expand scope. Regarding noise, this rule generates FPs across several customer clusters globally in what appears to be routine maintenance or administrative activity. To address this, we can adjust the rule to be New Terms on the user principal identified within the auth claims - making it flag on key vault changes only if the user doesn't regularly do it.
The MITRE ATT&CK tactic also needs to be adjusted to be Impact. This is not credential access behavior, but rather impactful depending on what changes were made to the Key Vault namespace. As a result, we will create a separate rule that analyzes Azure Platform logs for specific CRUD operations instead for nefarious behavior. However, it is still good to monitor changes to Key Vault that could indicate extended access to unauthorized users, changes to access policies, etc.
Regarding the query, we need to expand this to operations beyond WRITE for modifications, therefore we added a wildcard. I chose not to seclude this to user principal only behavior because stolen service principal or managed identity creds could allow adversaries to modify Key Vault resources.
Severity has also been lowered to low from medium.
Note - This is hypothetical as there currently is no public ItW or red-teaming research specific Key Vault modifications for malicious activity. However, specific key access has red team research tied to it and will be included in a separate rule.