Azure Bastion shareable link created

This rule is part of a beta feature. To learn more, contact Support.

Set up the azure integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an Azure Bastion public link is created. Azure Bastion public links can allow remote access to Azure VMs from untrusted networks. Public links generated for an Azure Bastion can allow VM network access to anyone with the generated URL.

Strategy

Monitor Azure Monitor activity logs for MICROSOFT.NETWORK/BASTIONHOSTS/GETSHAREABLELINKS/ACTION or MICROSOFT.NETWORK/BASTIONHOSTS/CREATESHAREABLELINKS/ACTION where @evt.outcome is Success.

Triage and response

  1. Verify the legitimacy of the public link creation:

    • Review the Azure activity logs to confirm if the user or process responsible for generating the Bastion public link had a valid business reason.
    • Cross-check with stakeholders or the requesting team to validate whether the action aligns with any approved workflows or maintenance activities.
  2. Investigate suspicious or unexpected link creation:

    • Review related logs to identify the IP address and user identity responsible for generating the public link. Look for unusual IPs (for example, foreign or untrusted locations) or unexpected user accounts.
    • Examine the timeline of activities around the event. This includes checking for failed login attempts, access requests from unknown sources, or other suspicious behavior before and after the link creation.
  3. Mitigate unauthorized public link creation:

    • If unauthorized, immediately revoke the public link and disable any further access through it.
    • Consider disabling shareable links for Azure Bastion to prevent future unauthorized public link creations.