Hi
Is it possible to search for when a new secret is added to an application in azure?
I want to check when “source_json.properties.targetResources.0.modifiedProperties.0.newValue” > “source_json.properties.targetResources.0.modifiedProperties.0.oldValue”
as this means a new secret is added and not deleted.
How can i acheive this?
Kind regards
@lqerkezi you can perform key comparisons but the greater than > comparison will only work with numerical values.
Can you share an example of what the actual key values are if they are not sensitive?
Hi David, thanks for you response.
That makes sense. I figured > wouldn’t work on string values but wanted to confirm.
The key values I’m seeing look like this (from the audit logs, nothing sensitive):
[“[KeyIdentifier=d0a2fa9f-a557-4c62-a7eb-b715409d3471,KeyType=Password,KeyUsage=Verify,DisplayName=key1]”]
Add a key:
Add another key:
Delete a key:
For now, i came up with this:
where(
“service” = “AZURE_AD”
AND
“action” ICONTAINS "Update application – Certificates and secrets management "
AND
(
(source_json.properties.targetResources.0.modifiedProperties.0.newValue = /^[.KeyIdentifier=.]$/ AND source_json.properties.targetResources.0.modifiedProperties.0.oldValue = /^$/)
OR
(source_json.properties.targetResources.0.modifiedProperties.0.newValue = /^[.*KeyIdentifier=.KeyIdentifier=.]$/ AND source_json.properties.targetResources.0.modifiedProperties.0.oldValue != /^[.*KeyIdentifier=.KeyIdentifier=.]$/)
OR
(source_json.properties.targetResources.0.modifiedProperties.0.newValue = /^[.*KeyIdentifier=.*KeyIdentifier=.KeyIdentifier=.]$/ AND source_json.properties.targetResources.0.modifiedProperties.0.oldValue != /^[.*KeyIdentifier=.*KeyIdentifier=.KeyIdentifier=.]$/) ))
It basically checks If newValue contains more KeyIdentifier= entries than oldValue
It works but this is not good and scalable.
This might not be perfect
But you could use something like
source_json.properties.targetResources.0.modifiedProperties.0.oldValue NOT ICONTAINS "]\",\"[" AND
source_json.properties.targetResources.0.modifiedProperties.0.newValue ICONTAINS "]\",\"["
The double quotes inside the value are actually escaped, you can typically only see these escape characters when using Legacy Log search so thats why I placed the backslashes before them. Could be worth double checking the square brackets are also not escaped, if so you’d need to add a backslash in front of them too
like
source_json.properties.targetResources.0.modifiedProperties.0.newValue ICONTAINS "\]\",\"\["
Essentially only if theres two or more keys in the newValue, match.
This wouldn’t fire if there was two in the old and three in the new.
But it also wouldn’t fire if there was two in the old value and one in the new, or one in the old value and zero in the new.
David
Hi David, thanks for the reply.
Sadly, this would only trigger on one specific occasion , and it’s not suitable to make a detection rule.
A count function to count the number of times a specific string appears in a value would be nice.
Something like:
source_json.properties.targetResources.0.modifiedProperties.0.newValue.count("KeyIdentifier") > source_json.properties.targetResources.0.modifiedProperties.0.oldValue.count("KeyIdentifier")
But it’s (currently) not possible.