Most Microsoft Defender for Key Vault alerts derive from a user trying to access the Key Vault (KV) in a suspicious manner. Some examples of these alerts include “Access from a suspicious IP address to a Key Vault” and “Unusual user accessed a Key Vault”. The purpose of this article is to share more information about an automation to respond to these Key Vault alerts. Suggested response actions will be:
- Remove the access policies the user has in this KV
- Remove RBAC permissions the user has in this KV
Visit our GitHub repository here to deploy the automation.
Introduction:
Azure Key Vault is an essential cloud service for storing and accessing secure data including secrets, keys, certificates, and passwords. If this data is compromised, attackers may be able to gain access to essential company resources and from there, perform lateral movement throughout the organization’s environment. Defender for Key Vault can be used to detect unusual and potentially harmful access to Azure native Key Vault accounts. When anomalous activity is detected, Defender for Key Vault shows an alert which includes details of the activity and suggested recommendations to remediate. The alerts for Defender for Key Vault fall in the “Credential Access” stage of the MITRE ATT&CK matrix where the attacker attempts to gain access or credentials that are used within the organization’s environment.
Aside from utilizing the alerts and recommendations that Microsoft Defender for Cloud already has in place for your Key Vault accounts, we have created a logic app that can be leveraged as response actions. When the logic app is executed, it will automatically respond to the Key Vault alert by removing the access policies and RBAC permissions the user has in the Key Vault. The rest of this blog addresses these two parts of the logic apps: how it removes access policies and how it removes RBAC permissions in the Key Vault.
Logic Implemented:
The automation leverages a Logic App that is executed whenever a Microsoft Defender for Key Vault alert is created or triggered. The Logic App leverages REST APIs to remove the access policies the user has in the respective Key Vault. Once executed, the automation extracts information from the security alert, such as the subscription ID, resource group and attacker ID (see Figure 1).
Remove the access policies the user has in this KV
After retrieving the alert information, the automation gets information about all Key Vaults associated with the subscription, by leveraging the Vaults REST API (see Figure 2).
For each Key Vault returned as a result of the previous step, the automation gets all the access policies associated with that Key Vault. For each access policy, the automation checks if the “objectID” is equal to the “attackerID” (obtained from the Microsoft Defender for Key Vault security alert). For each match, where the potential attacker has access to the Key Vault, the automation removes the relevant access policies by leveraging the Vaults REST API (see Figure 3).
Remove RBAC permissions the user has in this Key Vault
This part of the Logic App also leverages REST APIs to remove the RBAC permissions, which the user has in the respective Key Vault. The automation needs Owner permission on the subscription level. In addition to the "attackerID" that is collected in Figure 1, the automation also extracts the "resourceID" from the security alert (see Figure 4).
This information is stored in the respective variable. The automation gets role assignments by leveraging the Role Assignments REST API (see Figure 5).
Then for each role assignment, where the “principalID” is equal to the “attackerID”, the automation removes the corresponding role assignment by leveraging the Role Assignments REST API (see Figure 6).
Conclusion
To learn more about how to use Logic Apps in the Defender for Cloud Workflow automation, check out our documentation here.
To see more Logic Apps available for use in Defender for Cloud, visit our Microsoft Defender for Cloud Repository.
Reviewers:
Safeena Begum Lepakshi
Tom Janetschek
