Azure Bastion shareable link created

This rule is part of a beta feature. To learn more, contact Support.

Set up the azure integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect when an Azure Bastion public link is created. Azure Bastion public links can allow remote access to Azure VMs from untrusted networks. Public links generated for an Azure Bastion can allow VM network access to anyone with the generated URL.

Strategy

Monitor Azure Monitor activity logs for MICROSOFT.NETWORK/BASTIONHOSTS/GETSHAREABLELINKS/ACTION or MICROSOFT.NETWORK/BASTIONHOSTS/CREATESHAREABLELINKS/ACTION where @evt.outcome is Success.

Triage and response

  1. Verify the legitimacy of the public link creation:

    • Review the Azure activity logs to confirm if the user or process responsible for generating the Bastion public link had a valid business reason.
    • Cross-check with stakeholders or the requesting team to validate whether the action aligns with any approved workflows or maintenance activities.
  2. Investigate suspicious or unexpected link creation:

    • Review related logs to identify the IP address and user identity responsible for generating the public link. Look for unusual IPs (for example, foreign or untrusted locations) or unexpected user accounts.
    • Examine the timeline of activities around the event. This includes checking for failed login attempts, access requests from unknown sources, or other suspicious behavior before and after the link creation.
  3. Mitigate unauthorized public link creation:

    • If unauthorized, immediately revoke the public link and disable any further access through it.
    • Consider disabling shareable links for Azure Bastion to prevent future unauthorized public link creations.