Monitor Azure API Secrets Extraction
Query
// Monitor Azure API Secrets Extraction
// https://www.linkedin.com/posts/activity-7199783025038008320-PSqg/
// Compromised Azure API secrets pose significant risks, including the potential for unauthorized access to confidential data within Azure services, which could result in a data breach. Additionally, attackers may modify settings or interrupt services, causing operational downtime. Consequently, it is crucial for security teams to oversee the management of Azure API secret extractions. The recent integration of the CloudAuditEvents advanced hunting table into DefenderXDR enables the monitoring of activities such as the extraction of Azure API secrets, ensuring that actions undertaken by cloud administrators are verified and authorized.
CloudAuditEvents
| where Timestamp > ago(30d)
| where OperationName == "Microsoft.ApiManagement/service/tenant/listSecrets/action"
| extend SubscriptionID = tostring(RawEventData.subscriptionId)
| extend PrincipalOID = tostring(RawEventData.principalOid)
| extend ApplicationID = tostring(RawEventData.applicationId)
| extend HttpRequest = tostring(RawEventData.httpRequest)
| extend Properties = tostring(RawEventData.properties)
| project Timestamp, OperationName, PrincipalOID, SubscriptionID, ApplicationID, HttpRequest, Properties
// MITRE ATT&CK Mapping
// The operation Microsoft.ApiManagement/service/tenant/listSecrets/action involves listing secrets, which can be associated with the following MITRE ATT&CK techniques:
// T1070.004 - Indicator Removal on Host: File Deletion:
// This technique involves adversaries attempting to delete or alter generated artifacts on a host system, including logs or captured files. Listing secrets could be a precursor to such actions.
// T1552.001 - Unsecured Credentials: Credentials In Files:
// This technique involves adversaries searching for credentials in files. Listing secrets can be part of this process, as secrets often contain sensitive information like credentials.
// T1078 - Valid Accounts:
// Adversaries may use valid accounts to access and list secrets. This technique involves the use of legitimate credentials to gain access to resources.
// T1087.001 - Account Discovery: Local Account:
// This technique involves adversaries enumerating accounts to understand the environment. Listing secrets can help in discovering accounts and their associated secrets.Explanation
This query is designed to monitor the extraction of Azure API secrets, which is a critical security concern. It uses the CloudAuditEvents table to track activities related to the operation "Microsoft.ApiManagement/service/tenant/listSecrets/action" over the past 30 days. The query extracts and displays specific details such as the timestamp, operation name, principal ID, subscription ID, application ID, HTTP request, and properties associated with each event. This helps security teams verify and authorize actions taken by cloud administrators.
Additionally, the query is mapped to several MITRE ATT&CK techniques, highlighting potential risks associated with secret extraction:
- Indicator Removal on Host (T1070.004): Adversaries might delete or alter logs or files, and listing secrets could be a step in this process.
- Unsecured Credentials (T1552.001): Secrets often contain sensitive information like credentials, and listing them could be part of searching for such credentials in files.
- Valid Accounts (T1078): Adversaries might use legitimate credentials to access and list secrets.
- Account Discovery (T1087.001): Listing secrets can aid in discovering accounts and their associated secrets, helping adversaries understand the environment.
Overall, the query is a proactive measure to detect unauthorized secret extraction activities and mitigate potential security threats.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators