Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Suspicious VM Instance Creation Activity Detected

Suspicious VM Instance Creation Activity Detected

Back
Id1cc0ba27-c5ca-411a-a779-fbc89e26be83
RulenameSuspicious VM Instance Creation Activity Detected
DescriptionThis detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.
SeverityMedium
TacticsInitialAccess
Execution
Discovery
TechniquesT1078
T1106
T1526
Required data connectorsAzureActiveDirectoryIdentityProtection
BehaviorAnalytics
GCPAuditLogsDefinition
MicrosoftCloudAppSecurity
MicrosoftDefenderAdvancedThreatProtection
MicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
Version1.0.4
Arm template1cc0ba27-c5ca-411a-a779-fbc89e26be83.json
Deploy To Azure
// Filter alerts from specific Microsoft security products with medium and high severity
SecurityAlert 
| where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
| where AlertSeverity has_any ("Medium", "High")
// Parse JSON entities and extend AlertTimeGenerated
| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
// Extract and process IP entities
| mv-apply Entity = Entities on 
    ( 
    where Entity.Type == 'ip' 
    | extend EntityIp = tostring(Entity.Address) 
    ) 
// Extract and process account entities
| mv-apply Entity = Entities on 
    ( 
    where Entity.Type == 'account' 
    | extend AccountObjectId = tostring(Entity.AadUserId)
    )
// Filter out records with empty EntityIp
| where isnotempty(EntityIp)
// Summarize data and create sets of entities and system alert IDs
| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
    by 
    AlertName,
    ProductName,
    AlertSeverity,
    EntityIp,
    Tactics,
    Techniques,
    ProviderName,
    AlertTime= bin(AlertTimeGenerated, 1d),
    AccountObjectId
// Join with GCPAuditLogs for VM instance creation
| join kind=inner (
    GCPAuditLogs
    | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
    | extend
        GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
        GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
        GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
        VMStatus =  tostring(parse_json(Response).status),
        VMOperation=tostring(parse_json(Response).operationType),
        VMName= tostring(parse_json(Request).name),
        VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
    | where GCPUserUPN !has "gserviceaccount.com"
    | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
    | project
        GCPOperationTime=TimeGenerated,
        VMName,
        VMStatus,
        MethodName,
        GCPUserUPN,
        ProjectId,
        GCPUserIp,
        GCPUserUA,
        VMOperation,
        VMType
    )
    on $left.EntityIp == $right.GCPUserIp 
// Join with IdentityInfo to enrich user identity details
| join kind=inner (IdentityInfo 
    | distinct AccountObjectId, AccountUPN, JobTitle
    )
    on AccountObjectId 
// Calculate the time difference between the alert and VM creation for further analysis
| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]

queryPeriod: 1d
query: |
  // Filter alerts from specific Microsoft security products with medium and high severity
  SecurityAlert 
  | where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
  | where AlertSeverity has_any ("Medium", "High")
  // Parse JSON entities and extend AlertTimeGenerated
  | extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
  // Extract and process IP entities
  | mv-apply Entity = Entities on 
      ( 
      where Entity.Type == 'ip' 
      | extend EntityIp = tostring(Entity.Address) 
      ) 
  // Extract and process account entities
  | mv-apply Entity = Entities on 
      ( 
      where Entity.Type == 'account' 
      | extend AccountObjectId = tostring(Entity.AadUserId)
      )
  // Filter out records with empty EntityIp
  | where isnotempty(EntityIp)
  // Summarize data and create sets of entities and system alert IDs
  | summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
      by 
      AlertName,
      ProductName,
      AlertSeverity,
      EntityIp,
      Tactics,
      Techniques,
      ProviderName,
      AlertTime= bin(AlertTimeGenerated, 1d),
      AccountObjectId
  // Join with GCPAuditLogs for VM instance creation
  | join kind=inner (
      GCPAuditLogs
      | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
      | extend
          GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
          GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
          GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
          VMStatus =  tostring(parse_json(Response).status),
          VMOperation=tostring(parse_json(Response).operationType),
          VMName= tostring(parse_json(Request).name),
          VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
      | where GCPUserUPN !has "gserviceaccount.com"
      | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
      | project
          GCPOperationTime=TimeGenerated,
          VMName,
          VMStatus,
          MethodName,
          GCPUserUPN,
          ProjectId,
          GCPUserIp,
          GCPUserUA,
          VMOperation,
          VMType
      )
      on $left.EntityIp == $right.GCPUserIp 
  // Join with IdentityInfo to enrich user identity details
  | join kind=inner (IdentityInfo 
      | distinct AccountObjectId, AccountUPN, JobTitle
      )
      on AccountObjectId 
  // Calculate the time difference between the alert and VM creation for further analysis
  | extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]  
version: 1.0.4
name: Suspicious VM Instance Creation Activity Detected
entityMappings:
- fieldMappings:
  - columnName: GCPUserIp
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: GCPUserUPN
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
alertDetailsOverride:
  alertDisplayNameFormat: IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}
  alertDescriptionFormat: This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.
  alertDynamicProperties:
  - value: Microsoft Security
    alertProperty: ProviderName
  - value: Microsoft Defender
    alertProperty: ProductName
  - value: Microsoft Defender
    alertProperty: ProductComponentName
  alertSeverityColumnName: AlertSeverity
requiredDataConnectors:
- connectorId: GCPAuditLogsDefinition
  dataTypes:
  - GCPAuditLogs
- connectorId: AzureActiveDirectoryIdentityProtection
  dataTypes:
  - SecurityAlert (IPC)
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - SecurityAlert
- connectorId: MicrosoftDefenderAdvancedThreatProtection
  dataTypes:
  - SecurityAlert (MDATP)
- connectorId: MicrosoftCloudAppSecurity
  dataTypes:
  - SecurityAlert
- connectorId: BehaviorAnalytics
  dataTypes:
  - IdentityInfo
description: |
    'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.'
kind: Scheduled
queryFrequency: 1d
severity: Medium
relevantTechniques:
- T1078
- T1106
- T1526
triggerOperator: gt
triggerThreshold: 0
customDetails:
  CorrelationWith: GCPAuditLogs
  GCPProjectId: ProjectId
  AlertIds: SystemAlertIds
  AlertUserName: AccountUPN
  AlertName: AlertName
  AlertProDuctName: ProductName
  GCPVMType: VMType
  AlertUserObjectId: AccountObjectId
  GCPVMName: VMName
  GCPUserAgent: GCPUserUA
  AlertIp: EntityIp
tactics:
- InitialAccess
- Execution
- Discovery
id: 1cc0ba27-c5ca-411a-a779-fbc89e26be83