Azure Service Bus
Shared Access Key
Service Name: Azure Service Bus
Service Description: Azure Service Bus is a fully managed enterprise message broker with message queues and publish-subscribe topics. Service Bus is used to decouple applications and services from each other, providing reliable message transfer between applications and services.
Service Address: https://azure.microsoft.com/en-us/services/service-bus/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the network level using Azure Virtual Network service endpoints and firewall rules.
Secret Access Scope: Grants access to send and receive messages from Azure Service Bus namespaces, queues, and topics based on the assigned permissions (Send, Listen, Manage).
Secret Revokement URL: https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas-overview#revoke-keys
Secret Example: SharedAccessSignature sr=https%3A%2F%2Fmyservicebus.servicebus.windows.net%2F&sig=pD1FVEJAHDPGKPVzizo6dVCTY4oqBuzWNMNBPWnttsSs%3D&se=1699887484&skn=RootManageSharedAccessKey
Suspicious Activity Investigation Instructions:
- Review Azure Service Bus metrics and logs in Azure Monitor for unusual message patterns or volume spikes.
- Check Azure Activity Logs for unauthorized access attempts or configuration changes to your Service Bus namespace.
- Examine IP addresses that have accessed your Service Bus namespace for unfamiliar locations.
- Review the permissions assigned to the shared access key to ensure they're appropriate.
- Monitor for unusual message processing patterns that could indicate unauthorized use.
Mitigation Instructions:
- Immediately regenerate the shared access key in the Azure Portal under your Service Bus namespace > Shared access policies.
- Update all legitimate applications with the new key.
- Consider implementing more granular access policies with minimum required permissions.
- Enable Azure Private Link for your Service Bus namespace to restrict network access.
- Implement Azure AD authentication instead of shared access signatures when possible.
- Set up Azure Monitor alerts to detect unusual activity patterns.
- Review and update network security groups and firewall rules to restrict access to trusted networks.