Product
medium
advisory
Azure Key Vault Excessive Secret or Key Retrieval
2 rules 2 TTPsDetects excessive secret or key retrieval operations from Azure Key Vault, indicating potential unauthorized access attempts or credential harvesting.
Azure Key Vault
azure
keyvault
credential-access
threat-detection
2r
2t
high
advisory
Multiple Cloud Secrets Accessed by Source Address
2 rules 1 TTPA single source IP accessing secret-management APIs across multiple cloud providers (AWS, GCP, Azure) and Kubernetes clusters within a short timeframe indicates credential theft or token replay for secret harvesting.
AWS Secrets Manager +3
cloud
credential-access
kubernetes
2r
1t
medium
advisory
Azure Key Vault Unusual Secret Key Usage
2 rules 1 TTPDetects unusual secret, key, or certificate retrieval operations from Azure Key Vault by a user principal that has not been seen previously, potentially indicating unauthorized access attempts.
Azure Key Vault
azure
keyvault
credential-access
2r
1t
low
advisory
Azure Key Vault Modified by Unusual User
2 rules 2 TTPsThis rule identifies modifications to Azure Key Vaults by unusual users, potentially leading to data breaches or service disruptions through defense evasion or impact operations.
Azure Key Vault
azure
keyvault
configuration-audit
impact
defense-evasion
2r
2t