Mass Cloud resource deletions Time Series Anomaly
| Id | ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b |
| Rulename | Mass Cloud resource deletions Time Series Anomaly |
| Description | This query generates the baseline pattern of cloud resource deletions by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary. |
| Severity | Medium |
| Tactics | Impact |
| Techniques | T1485 |
| Required data connectors | AzureActivity |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml |
| Version | 2.0.4 |
| Arm template | ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b.json |
let starttime = 14d;
let endtime = 1d;
let timeframe = 1d;
let TotalEventsThreshold = 25;
let TimeSeriesData = AzureActivity
| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))
| where OperationNameValue endswith "delete"
| project TimeGenerated, Caller
| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Caller;
TimeSeriesData
| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit')
| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)
| where TimeGenerated >= startofday(ago(endtime))
| where anomalies > 0
| project Caller, TimeGenerated, Total, baseline, anomalies, score
| where Total > TotalEventsThreshold and baseline > 0
| join (AzureActivity
| where TimeGenerated > startofday(ago(endtime))
| where OperationNameValue endswith "delete"
| summarize count(), make_set(OperationNameValue,100), make_set(_ResourceId,100) by bin(TimeGenerated, timeframe), Caller ) on TimeGenerated, Caller
| extend Name = iif(Caller has '@',tostring(split(Caller,'@',0)[0]),"")
| extend UPNSuffix = iif(Caller has '@',tostring(split(Caller,'@',1)[0]),"")
| extend AadUserId = iif(Caller !has '@',Caller,"")
triggerOperator: gt
queryFrequency: 1d
description: |
'This query generates the baseline pattern of cloud resource deletions by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary.'
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
version: 2.0.4
queryPeriod: 14d
name: Mass Cloud resource deletions Time Series Anomaly
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml
id: ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b
tags:
- DEV-0537
tactics:
- Impact
relevantTechniques:
- T1485
severity: Medium
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: Caller
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
entityType: Account
- fieldMappings:
- identifier: AadUserId
columnName: AadUserId
entityType: Account
query: |
let starttime = 14d;
let endtime = 1d;
let timeframe = 1d;
let TotalEventsThreshold = 25;
let TimeSeriesData = AzureActivity
| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))
| where OperationNameValue endswith "delete"
| project TimeGenerated, Caller
| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Caller;
TimeSeriesData
| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit')
| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)
| where TimeGenerated >= startofday(ago(endtime))
| where anomalies > 0
| project Caller, TimeGenerated, Total, baseline, anomalies, score
| where Total > TotalEventsThreshold and baseline > 0
| join (AzureActivity
| where TimeGenerated > startofday(ago(endtime))
| where OperationNameValue endswith "delete"
| summarize count(), make_set(OperationNameValue,100), make_set(_ResourceId,100) by bin(TimeGenerated, timeframe), Caller ) on TimeGenerated, Caller
| extend Name = iif(Caller has '@',tostring(split(Caller,'@',0)[0]),"")
| extend UPNSuffix = iif(Caller has '@',tostring(split(Caller,'@',1)[0]),"")
| extend AadUserId = iif(Caller !has '@',Caller,"")
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b')]",
"properties": {
"alertRuleTemplateName": "ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b",
"customDetails": null,
"description": "'This query generates the baseline pattern of cloud resource deletions by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary.'\n",
"displayName": "Mass Cloud resource deletions Time Series Anomaly",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Caller",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AadUserId",
"identifier": "AadUserId"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml",
"query": "let starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1d;\nlet TotalEventsThreshold = 25;\nlet TimeSeriesData = AzureActivity \n| where TimeGenerated between (startofday(ago(starttime))..startofday(now())) \n| where OperationNameValue endswith \"delete\" \n| project TimeGenerated, Caller \n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Caller;\nTimeSeriesData \n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit') \n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \n| where TimeGenerated >= startofday(ago(endtime)) \n| where anomalies > 0 \n| project Caller, TimeGenerated, Total, baseline, anomalies, score \n| where Total > TotalEventsThreshold and baseline > 0 \n| join (AzureActivity \n| where TimeGenerated > startofday(ago(endtime)) \n| where OperationNameValue endswith \"delete\" \n| summarize count(), make_set(OperationNameValue,100), make_set(_ResourceId,100) by bin(TimeGenerated, timeframe), Caller ) on TimeGenerated, Caller \n| extend Name = iif(Caller has '@',tostring(split(Caller,'@',0)[0]),\"\")\n| extend UPNSuffix = iif(Caller has '@',tostring(split(Caller,'@',1)[0]),\"\")\n| extend AadUserId = iif(Caller !has '@',Caller,\"\")\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"severity": "Medium",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"tags": [
"DEV-0537"
],
"techniques": [
"T1485"
],
"templateVersion": "2.0.4",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}