Query Details
Monitor Azure API Secrets Extraction
Query
// Monitor Azure API Secrets Extraction // https://www.linkedin.com/posts/activity-7199783025038008320-PSqg/ // Compromised Azure API secrets pose significant risks, including the potential for unauthorized access to confidential data within Azure services, which could result in a data breach. Additionally, attackers may modify settings or interrupt services, causing operational downtime. Consequently, it is crucial for security teams to oversee the management of Azure API secret extractions. The recent integration of the CloudAuditEvents advanced hunting table into DefenderXDR enables the monitoring of activities such as the extraction of Azure API secrets, ensuring that actions undertaken by cloud administrators are verified and authorized. CloudAuditEvents | where Timestamp > ago(30d) | where OperationName == "Microsoft.ApiManagement/service/tenant/listSecrets/action" | extend SubscriptionID = tostring(RawEventData.subscriptionId) | extend PrincipalOID = tostring(RawEventData.principalOid) | extend ApplicationID = tostring(RawEventData.applicationId) | extend HttpRequest = tostring(RawEventData.httpRequest) | extend Properties = tostring(RawEventData.properties) | project Timestamp, OperationName, PrincipalOID, SubscriptionID, ApplicationID, HttpRequest, Properties
Explanation
This query is designed to monitor the extraction of Azure API secrets, which is a critical security concern. It uses the CloudAuditEvents table in DefenderXDR to track and log any activities related to the extraction of these secrets over the past 30 days. Specifically, it looks for operations where the action is "Microsoft.ApiManagement/service/tenant/listSecrets/action". The query extracts and displays relevant details such as the timestamp, operation name, principal ID, subscription ID, application ID, HTTP request, and additional properties. This helps security teams ensure that any extraction of API secrets is legitimate and authorized.
Details
Steven Lim
Released: August 2, 2024
Tables
CloudAuditEvents
Keywords
AzureAPISecretsCloudAuditEventsSecurityMonitoring
Operators
ago==extendtostringprojectwhere