Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Identifies mass secret retrieval from Azure Key Vault observed by a single user. Mass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. You can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Azure Key Vault |
| ID | 24f8c234-d1ff-40ec-8b73-96b17a3a9c1c |
| Severity | Low |
| Status | Available |
| Kind | Scheduled |
| Tactics | CredentialAccess |
| Techniques | T1003 |
| Required Connectors | AzureKeyVault |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AzureDiagnostics 🔶 |
ResourceType == "VAULTS" |
? | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊