Suspicious VM Instance Creation Activity Detected
| Id | 1cc0ba27-c5ca-411a-a779-fbc89e26be83 |
| Rulename | Suspicious VM Instance Creation Activity Detected |
| Description | This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity. |
| Severity | Medium |
| Tactics | InitialAccess Execution Discovery |
| Techniques | T1078 T1106 T1526 |
| Required data connectors | AzureActiveDirectoryIdentityProtection BehaviorAnalytics GCPAuditLogsDefinition MicrosoftCloudAppSecurity MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml |
| Version | 1.0.4 |
| Arm template | 1cc0ba27-c5ca-411a-a779-fbc89e26be83.json |
// Filter alerts from specific Microsoft security products with medium and high severity
SecurityAlert
| where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
| where AlertSeverity has_any ("Medium", "High")
// Parse JSON entities and extend AlertTimeGenerated
| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
// Extract and process IP entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'ip'
| extend EntityIp = tostring(Entity.Address)
)
// Extract and process account entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'account'
| extend AccountObjectId = tostring(Entity.AadUserId)
)
// Filter out records with empty EntityIp
| where isnotempty(EntityIp)
// Summarize data and create sets of entities and system alert IDs
| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
by
AlertName,
ProductName,
AlertSeverity,
EntityIp,
Tactics,
Techniques,
ProviderName,
AlertTime= bin(AlertTimeGenerated, 1d),
AccountObjectId
// Join with GCPAuditLogs for VM instance creation
| join kind=inner (
GCPAuditLogs
| where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
| extend
GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
VMStatus = tostring(parse_json(Response).status),
VMOperation=tostring(parse_json(Response).operationType),
VMName= tostring(parse_json(Request).name),
VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
| where GCPUserUPN !has "gserviceaccount.com"
| where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
| project
GCPOperationTime=TimeGenerated,
VMName,
VMStatus,
MethodName,
GCPUserUPN,
ProjectId,
GCPUserIp,
GCPUserUA,
VMOperation,
VMType
)
on $left.EntityIp == $right.GCPUserIp
// Join with IdentityInfo to enrich user identity details
| join kind=inner (IdentityInfo
| distinct AccountObjectId, AccountUPN, JobTitle
)
on AccountObjectId
// Calculate the time difference between the alert and VM creation for further analysis
| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]
name: Suspicious VM Instance Creation Activity Detected
relevantTechniques:
- T1078
- T1106
- T1526
customDetails:
AlertUserObjectId: AccountObjectId
GCPUserAgent: GCPUserUA
GCPVMType: VMType
AlertIds: SystemAlertIds
AlertUserName: AccountUPN
CorrelationWith: GCPAuditLogs
AlertIp: EntityIp
AlertProDuctName: ProductName
GCPProjectId: ProjectId
GCPVMName: VMName
AlertName: AlertName
requiredDataConnectors:
- dataTypes:
- GCPAuditLogs
connectorId: GCPAuditLogsDefinition
- dataTypes:
- SecurityAlert (IPC)
connectorId: AzureActiveDirectoryIdentityProtection
- dataTypes:
- SecurityAlert
connectorId: MicrosoftThreatProtection
- dataTypes:
- SecurityAlert (MDATP)
connectorId: MicrosoftDefenderAdvancedThreatProtection
- dataTypes:
- SecurityAlert
connectorId: MicrosoftCloudAppSecurity
- dataTypes:
- IdentityInfo
connectorId: BehaviorAnalytics
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
query: |
// Filter alerts from specific Microsoft security products with medium and high severity
SecurityAlert
| where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
| where AlertSeverity has_any ("Medium", "High")
// Parse JSON entities and extend AlertTimeGenerated
| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
// Extract and process IP entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'ip'
| extend EntityIp = tostring(Entity.Address)
)
// Extract and process account entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'account'
| extend AccountObjectId = tostring(Entity.AadUserId)
)
// Filter out records with empty EntityIp
| where isnotempty(EntityIp)
// Summarize data and create sets of entities and system alert IDs
| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
by
AlertName,
ProductName,
AlertSeverity,
EntityIp,
Tactics,
Techniques,
ProviderName,
AlertTime= bin(AlertTimeGenerated, 1d),
AccountObjectId
// Join with GCPAuditLogs for VM instance creation
| join kind=inner (
GCPAuditLogs
| where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
| extend
GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
VMStatus = tostring(parse_json(Response).status),
VMOperation=tostring(parse_json(Response).operationType),
VMName= tostring(parse_json(Request).name),
VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
| where GCPUserUPN !has "gserviceaccount.com"
| where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
| project
GCPOperationTime=TimeGenerated,
VMName,
VMStatus,
MethodName,
GCPUserUPN,
ProjectId,
GCPUserIp,
GCPUserUA,
VMOperation,
VMType
)
on $left.EntityIp == $right.GCPUserIp
// Join with IdentityInfo to enrich user identity details
| join kind=inner (IdentityInfo
| distinct AccountObjectId, AccountUPN, JobTitle
)
on AccountObjectId
// Calculate the time difference between the alert and VM creation for further analysis
| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]
tactics:
- InitialAccess
- Execution
- Discovery
description: |
'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.'
entityMappings:
- fieldMappings:
- columnName: GCPUserIp
identifier: Address
entityType: IP
- fieldMappings:
- columnName: GCPUserUPN
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
queryFrequency: 1d
alertDetailsOverride:
alertSeverityColumnName: AlertSeverity
alertDynamicProperties:
- alertProperty: ProviderName
value: Microsoft Security
- alertProperty: ProductName
value: Microsoft Defender
- alertProperty: ProductComponentName
value: Microsoft Defender
alertDescriptionFormat: This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.
alertDisplayNameFormat: IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}
triggerOperator: gt
version: 1.0.4
queryPeriod: 1d
kind: Scheduled
severity: Medium
triggerThreshold: 0
id: 1cc0ba27-c5ca-411a-a779-fbc89e26be83
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1cc0ba27-c5ca-411a-a779-fbc89e26be83')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1cc0ba27-c5ca-411a-a779-fbc89e26be83')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.",
"alertDisplayNameFormat": "IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}",
"alertDynamicProperties": [
{
"alertProperty": "ProviderName",
"value": "Microsoft Security"
},
{
"alertProperty": "ProductName",
"value": "Microsoft Defender"
},
{
"alertProperty": "ProductComponentName",
"value": "Microsoft Defender"
}
],
"alertSeverityColumnName": "AlertSeverity"
},
"alertRuleTemplateName": "1cc0ba27-c5ca-411a-a779-fbc89e26be83",
"customDetails": {
"AlertIds": "SystemAlertIds",
"AlertIp": "EntityIp",
"AlertName": "AlertName",
"AlertProDuctName": "ProductName",
"AlertUserName": "AccountUPN",
"AlertUserObjectId": "AccountObjectId",
"CorrelationWith": "GCPAuditLogs",
"GCPProjectId": "ProjectId",
"GCPUserAgent": "GCPUserUA",
"GCPVMName": "VMName",
"GCPVMType": "VMType"
},
"description": "'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.'\n",
"displayName": "Suspicious VM Instance Creation Activity Detected",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "GCPUserIp",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "GCPUserUPN",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml",
"query": "// Filter alerts from specific Microsoft security products with medium and high severity\nSecurityAlert \n| where ProductName in (\"Microsoft 365 Defender\", \"Azure Active Directory\", \"Microsoft Defender Advanced Threat Protection\", \"Microsoft Cloud App Security\", \"Azure Active Directory Identity Protection\", \"Microsoft Defender ATP\")\n| where AlertSeverity has_any (\"Medium\", \"High\")\n// Parse JSON entities and extend AlertTimeGenerated\n| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated\n// Extract and process IP entities\n| mv-apply Entity = Entities on \n ( \n where Entity.Type == 'ip' \n | extend EntityIp = tostring(Entity.Address) \n ) \n// Extract and process account entities\n| mv-apply Entity = Entities on \n ( \n where Entity.Type == 'account' \n | extend AccountObjectId = tostring(Entity.AadUserId)\n )\n// Filter out records with empty EntityIp\n| where isnotempty(EntityIp)\n// Summarize data and create sets of entities and system alert IDs\n| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)\n by \n AlertName,\n ProductName,\n AlertSeverity,\n EntityIp,\n Tactics,\n Techniques,\n ProviderName,\n AlertTime= bin(AlertTimeGenerated, 1d),\n AccountObjectId\n// Join with GCPAuditLogs for VM instance creation\n| join kind=inner (\n GCPAuditLogs\n | where ServiceName == \"compute.googleapis.com\" and MethodName endswith \"instances.insert\"\n | extend\n GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\n GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\n VMStatus = tostring(parse_json(Response).status),\n VMOperation=tostring(parse_json(Response).operationType),\n VMName= tostring(parse_json(Request).name),\n VMType = tostring(split(parse_json(Request).machineType, \"/\")[-1])\n | where GCPUserUPN !has \"gserviceaccount.com\"\n | where VMOperation == \"insert\" and isnotempty(GCPUserIp) and GCPUserIp != \"private\"\n | project\n GCPOperationTime=TimeGenerated,\n VMName,\n VMStatus,\n MethodName,\n GCPUserUPN,\n ProjectId,\n GCPUserIp,\n GCPUserUA,\n VMOperation,\n VMType\n )\n on $left.EntityIp == $right.GCPUserIp \n// Join with IdentityInfo to enrich user identity details\n| join kind=inner (IdentityInfo \n | distinct AccountObjectId, AccountUPN, JobTitle\n )\n on AccountObjectId \n// Calculate the time difference between the alert and VM creation for further analysis\n| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, \"@\")[0], UPNSuffix = split(GCPUserUPN, \"@\")[1]\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery",
"Execution",
"InitialAccess"
],
"techniques": [
"T1078",
"T1106",
"T1526"
],
"templateVersion": "1.0.4",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}