Unexpected Azure API calls indicating Event Hub authorization rule modification
Description
AlphaSOC detected the modification of an Azure Event Hub authorization rule.
Authorization rules control access to Event Hub namespaces by defining shared
access policies with specific permissions such as Send, Listen, and
Manage.
Modifying an authorization rule can grant unauthorized access to streaming data or allow an attacker to inject malicious events into data pipelines. Adversaries who have compromised cloud administrative credentials may modify these rules to establish persistent access to sensitive data streams, exfiltrate telemetry data, or tamper with logging infrastructure.
Impact
Unauthorized modification of Event Hub authorization rules can enable threat actors to gain access to high-volume data streams containing sensitive organizational telemetry, security logs, or application data. Attackers may use this access to exfiltrate data at scale, inject malicious events into processing pipelines, or disrupt downstream analytics and alerting systems that depend on Event Hub data.
Severity
| Severity | Condition |
|---|---|
Low | Event Hub authorization rule modified |
Medium | Event Hub authorization rule modified by anomalous identity |
Investigation and Remediation
Review Azure Activity logs to identify the
Microsoft.EventHub/namespaces/authorizationRules/write operation. Examine the
identity that performed the modification, the specific authorization rule
affected, and the permissions granted. Verify whether the change was authorized
and aligns with organizational change management processes.
If unauthorized, immediately revoke or reset the modified authorization rule and regenerate any shared access keys that may have been compromised. Review the Event Hub access logs to determine if the modified rule was used to access data streams. Investigate the compromised identity for additional malicious activity and rotate its credentials.