EXPLORE DETECTIONS

Azure Kubernetes Sensitive Role Access

Identifies when ClusterRoles/Roles are being modified or deleted.

Azure Kubernetes Service Account Modified or Deleted

Identifies when a service account is modified or deleted.

Azure Kubernetes Services (AKS) Kubernetes Events Deleted

Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

Azure Kubernetes Services (AKS) Kubernetes Pods Deleted

Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment.

Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created

Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.

Azure Logic App Disabled or Deleted

Comment out if you want to look for attempts

Azure Login Bypassing Conditional Access Policies

Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.

Azure Monitor Rule Disabled

Azure Network Firewall Policy Modified or Deleted

Identifies when a Firewall Policy is Modified or Deleted.

Azure Network Security Configuration Modified or Deleted

Identifies when a network security configuration is modified or deleted.

Azure New CloudShell Created

Identifies when a new cloudshell is created inside of Azure portal.

Azure OpenAI Insecure Output Handling

Detects when Azure OpenAI requests result in zero response length, potentially indicating issues in output handling that might lead to security exploits such as data leaks or code execution. This can occur in cases where the API fails to handle outputs correctly under certain input conditions.

Azure Owner Removed From Application or Service Principal

Identifies when a owner is was removed from a application or service principal in Azure.

Azure P2S (Point to site) Connection Success username and IP Parser

This will parse out username and local IP for Azure VPN connection success logs. Diagnostic settings must be enabled

Azure Point-to-site VPN Modified or Deleted

Identifies when a Point-to-site VPN is Modified or Deleted.

Azure RBAC Built-In Administrator Roles Assigned

Identifies when a user is assigned a built-in administrator role in Azure RBAC (Role-Based Access Control). These roles provide significant privileges and can be abused by attackers for lateral movement, persistence, or privilege escalation. The privileged built-in administrator roles include Owner, Contributor, User Access Administrator, Azure File Sync Administrator, Reservations Administrator, and Role Based Access Control Administrator.

Azure Resource Graph - APIM with basic auth enabled

https://github.com/bountyyfi/Azure-APIM-Cross-Tenant-Signup-Bypass

Azure Resource Group Deleted

Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.

Azure Resource VM sku sizes Changes

To be run from Resource Graph Explorer

Azure Runbook Webhook Created

The following analytic detects the creation of a new Automation Runbook Webhook within an Azure tenant. It leverages Azure Audit events, specifically the "Create or Update an Azure Automation webhook" operation, to identify this activity. This behavior is significant because Webhooks can trigger Automation Runbooks via unauthenticated URLs exposed to the Internet, posing a security risk. If confirmed malicious, an attacker could use this to execute code, create users, or maintain persistence within the environment, potentially leading to unauthorized access and control over Azure resources.

Azure Service Principal Created

Identifies when a service principal is created in Azure.

Azure Service Principal Removed

Identifies when a service principal was removed in Azure.

Azure Service Principal Sign-In Followed by Arc Cluster Credential Access

Detects when a service principal authenticates to Microsoft Entra ID and then lists credentials for an Azure Arc-connected Kubernetes cluster within a short time window. The `listClusterUserCredential` action retrieves tokens that enable kubectl access through the Arc Cluster Connect proxy. This sequence (service principal sign-in followed by Arc credential retrieval), represents the exact attack chain used by adversaries with stolen service principal secrets to establish a proxy tunnel into Kubernetes clusters. Service principals that authenticate externally (as opposed to managed identities) and immediately access Arc cluster credentials warrant investigation, particularly when the sign-in originates from an unexpected location or ASN.

Azure Storage Account Blob Public Access Enabled

Identifies when Azure Storage Account Blob public access is enabled, allowing external access to blob containers. This technique was observed in cloud ransom-based campaigns where threat actors modified storage accounts to expose non-remotely accessible accounts to the internet for data exfiltration. Adversaries abuse the Microsoft.Storage/storageAccounts/write operation to modify public access settings.