Azure Bastion shareable link created

This rule is part of a beta feature. To learn more, contact Support.

Set up the azure integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an Azure Bastion public link is created. Azure Bastion public links can allow remote access to Azure VMs from untrusted networks. Public links generated for an Azure Bastion can allow VM network access to anyone with the generated URL.

Strategy

Monitor Azure Monitor activity logs for MICROSOFT.NETWORK/BASTIONHOSTS/GETSHAREABLELINKS/ACTION or MICROSOFT.NETWORK/BASTIONHOSTS/CREATESHAREABLELINKS/ACTION where @evt.outcome is Success.

Triage and response

  1. Verify the legitimacy of the public link creation:

    • Review the Azure activity logs to confirm if the user or process responsible for generating the Bastion public link had a valid business reason.
    • Cross-check with stakeholders or the requesting team to validate whether the action aligns with any approved workflows or maintenance activities.
  2. Investigate suspicious or unexpected link creation:

    • Review related logs to identify the IP address and user identity responsible for generating the public link. Look for unusual IPs (for example, foreign or untrusted locations) or unexpected user accounts.
    • Examine the timeline of activities around the event. This includes checking for failed login attempts, access requests from unknown sources, or other suspicious behavior before and after the link creation.
  3. Mitigate unauthorized public link creation:

    • If unauthorized, immediately revoke the public link and disable any further access through it.
    • Consider disabling shareable links for Azure Bastion to prevent future unauthorized public link creations.