Suspicious VM Instance Creation Activity Detected
Id | 1cc0ba27-c5ca-411a-a779-fbc89e26be83 |
Rulename | Suspicious VM Instance Creation Activity Detected |
Description | This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity. |
Severity | Medium |
Tactics | InitialAccess Execution Discovery |
Techniques | T1078 T1106 T1526 |
Required data connectors | AzureActiveDirectoryIdentityProtection BehaviorAnalytics GCPAuditLogsDefinition MicrosoftCloudAppSecurity MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml |
Version | 1.0.4 |
Arm template | 1cc0ba27-c5ca-411a-a779-fbc89e26be83.json |
// Filter alerts from specific Microsoft security products with medium and high severity
SecurityAlert
| where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
| where AlertSeverity has_any ("Medium", "High")
// Parse JSON entities and extend AlertTimeGenerated
| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
// Extract and process IP entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'ip'
| extend EntityIp = tostring(Entity.Address)
)
// Extract and process account entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'account'
| extend AccountObjectId = tostring(Entity.AadUserId)
)
// Filter out records with empty EntityIp
| where isnotempty(EntityIp)
// Summarize data and create sets of entities and system alert IDs
| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
by
AlertName,
ProductName,
AlertSeverity,
EntityIp,
Tactics,
Techniques,
ProviderName,
AlertTime= bin(AlertTimeGenerated, 1d),
AccountObjectId
// Join with GCPAuditLogs for VM instance creation
| join kind=inner (
GCPAuditLogs
| where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
| extend
GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
VMStatus = tostring(parse_json(Response).status),
VMOperation=tostring(parse_json(Response).operationType),
VMName= tostring(parse_json(Request).name),
VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
| where GCPUserUPN !has "gserviceaccount.com"
| where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
| project
GCPOperationTime=TimeGenerated,
VMName,
VMStatus,
MethodName,
GCPUserUPN,
ProjectId,
GCPUserIp,
GCPUserUA,
VMOperation,
VMType
)
on $left.EntityIp == $right.GCPUserIp
// Join with IdentityInfo to enrich user identity details
| join kind=inner (IdentityInfo
| distinct AccountObjectId, AccountUPN, JobTitle
)
on AccountObjectId
// Calculate the time difference between the alert and VM creation for further analysis
| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]
entityMappings:
- fieldMappings:
- columnName: GCPUserIp
identifier: Address
entityType: IP
- fieldMappings:
- columnName: GCPUserUPN
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
triggerThreshold: 0
severity: Medium
queryFrequency: 1d
queryPeriod: 1d
customDetails:
AlertUserObjectId: AccountObjectId
CorrelationWith: GCPAuditLogs
AlertUserName: AccountUPN
GCPProjectId: ProjectId
GCPVMType: VMType
GCPVMName: VMName
GCPUserAgent: GCPUserUA
AlertProDuctName: ProductName
AlertIp: EntityIp
AlertIds: SystemAlertIds
AlertName: AlertName
relevantTechniques:
- T1078
- T1106
- T1526
triggerOperator: gt
version: 1.0.4
id: 1cc0ba27-c5ca-411a-a779-fbc89e26be83
requiredDataConnectors:
- connectorId: GCPAuditLogsDefinition
dataTypes:
- GCPAuditLogs
- connectorId: AzureActiveDirectoryIdentityProtection
dataTypes:
- SecurityAlert (IPC)
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
- connectorId: MicrosoftDefenderAdvancedThreatProtection
dataTypes:
- SecurityAlert (MDATP)
- connectorId: MicrosoftCloudAppSecurity
dataTypes:
- SecurityAlert
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
alertDetailsOverride:
alertSeverityColumnName: AlertSeverity
alertDisplayNameFormat: IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}
alertDescriptionFormat: This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.
alertDynamicProperties:
- alertProperty: ProviderName
value: Microsoft Security
- alertProperty: ProductName
value: Microsoft Defender
- alertProperty: ProductComponentName
value: Microsoft Defender
name: Suspicious VM Instance Creation Activity Detected
description: |
'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.'
query: |
// Filter alerts from specific Microsoft security products with medium and high severity
SecurityAlert
| where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
| where AlertSeverity has_any ("Medium", "High")
// Parse JSON entities and extend AlertTimeGenerated
| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
// Extract and process IP entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'ip'
| extend EntityIp = tostring(Entity.Address)
)
// Extract and process account entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'account'
| extend AccountObjectId = tostring(Entity.AadUserId)
)
// Filter out records with empty EntityIp
| where isnotempty(EntityIp)
// Summarize data and create sets of entities and system alert IDs
| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
by
AlertName,
ProductName,
AlertSeverity,
EntityIp,
Tactics,
Techniques,
ProviderName,
AlertTime= bin(AlertTimeGenerated, 1d),
AccountObjectId
// Join with GCPAuditLogs for VM instance creation
| join kind=inner (
GCPAuditLogs
| where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
| extend
GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
VMStatus = tostring(parse_json(Response).status),
VMOperation=tostring(parse_json(Response).operationType),
VMName= tostring(parse_json(Request).name),
VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
| where GCPUserUPN !has "gserviceaccount.com"
| where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
| project
GCPOperationTime=TimeGenerated,
VMName,
VMStatus,
MethodName,
GCPUserUPN,
ProjectId,
GCPUserIp,
GCPUserUA,
VMOperation,
VMType
)
on $left.EntityIp == $right.GCPUserIp
// Join with IdentityInfo to enrich user identity details
| join kind=inner (IdentityInfo
| distinct AccountObjectId, AccountUPN, JobTitle
)
on AccountObjectId
// Calculate the time difference between the alert and VM creation for further analysis
| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]
tactics:
- InitialAccess
- Execution
- Discovery
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1cc0ba27-c5ca-411a-a779-fbc89e26be83')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1cc0ba27-c5ca-411a-a779-fbc89e26be83')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.",
"alertDisplayNameFormat": "IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}",
"alertDynamicProperties": [
{
"alertProperty": "ProviderName",
"value": "Microsoft Security"
},
{
"alertProperty": "ProductName",
"value": "Microsoft Defender"
},
{
"alertProperty": "ProductComponentName",
"value": "Microsoft Defender"
}
],
"alertSeverityColumnName": "AlertSeverity"
},
"alertRuleTemplateName": "1cc0ba27-c5ca-411a-a779-fbc89e26be83",
"customDetails": {
"AlertIds": "SystemAlertIds",
"AlertIp": "EntityIp",
"AlertName": "AlertName",
"AlertProDuctName": "ProductName",
"AlertUserName": "AccountUPN",
"AlertUserObjectId": "AccountObjectId",
"CorrelationWith": "GCPAuditLogs",
"GCPProjectId": "ProjectId",
"GCPUserAgent": "GCPUserUA",
"GCPVMName": "VMName",
"GCPVMType": "VMType"
},
"description": "'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.'\n",
"displayName": "Suspicious VM Instance Creation Activity Detected",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "GCPUserIp",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "GCPUserUPN",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml",
"query": "// Filter alerts from specific Microsoft security products with medium and high severity\nSecurityAlert \n| where ProductName in (\"Microsoft 365 Defender\", \"Azure Active Directory\", \"Microsoft Defender Advanced Threat Protection\", \"Microsoft Cloud App Security\", \"Azure Active Directory Identity Protection\", \"Microsoft Defender ATP\")\n| where AlertSeverity has_any (\"Medium\", \"High\")\n// Parse JSON entities and extend AlertTimeGenerated\n| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated\n// Extract and process IP entities\n| mv-apply Entity = Entities on \n ( \n where Entity.Type == 'ip' \n | extend EntityIp = tostring(Entity.Address) \n ) \n// Extract and process account entities\n| mv-apply Entity = Entities on \n ( \n where Entity.Type == 'account' \n | extend AccountObjectId = tostring(Entity.AadUserId)\n )\n// Filter out records with empty EntityIp\n| where isnotempty(EntityIp)\n// Summarize data and create sets of entities and system alert IDs\n| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)\n by \n AlertName,\n ProductName,\n AlertSeverity,\n EntityIp,\n Tactics,\n Techniques,\n ProviderName,\n AlertTime= bin(AlertTimeGenerated, 1d),\n AccountObjectId\n// Join with GCPAuditLogs for VM instance creation\n| join kind=inner (\n GCPAuditLogs\n | where ServiceName == \"compute.googleapis.com\" and MethodName endswith \"instances.insert\"\n | extend\n GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\n GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\n VMStatus = tostring(parse_json(Response).status),\n VMOperation=tostring(parse_json(Response).operationType),\n VMName= tostring(parse_json(Request).name),\n VMType = tostring(split(parse_json(Request).machineType, \"/\")[-1])\n | where GCPUserUPN !has \"gserviceaccount.com\"\n | where VMOperation == \"insert\" and isnotempty(GCPUserIp) and GCPUserIp != \"private\"\n | project\n GCPOperationTime=TimeGenerated,\n VMName,\n VMStatus,\n MethodName,\n GCPUserUPN,\n ProjectId,\n GCPUserIp,\n GCPUserUA,\n VMOperation,\n VMType\n )\n on $left.EntityIp == $right.GCPUserIp \n// Join with IdentityInfo to enrich user identity details\n| join kind=inner (IdentityInfo \n | distinct AccountObjectId, AccountUPN, JobTitle\n )\n on AccountObjectId \n// Calculate the time difference between the alert and VM creation for further analysis\n| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, \"@\")[0], UPNSuffix = split(GCPUserUPN, \"@\")[1]\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery",
"Execution",
"InitialAccess"
],
"techniques": [
"T1078",
"T1106",
"T1526"
],
"templateVersion": "1.0.4",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}