Suspicious VM Instance Creation Activity Detected
Id | 1cc0ba27-c5ca-411a-a779-fbc89e26be83 |
Rulename | Suspicious VM Instance Creation Activity Detected |
Description | This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity. |
Severity | Medium |
Tactics | InitialAccess Execution Discovery |
Techniques | T1078 T1106 T1526 |
Required data connectors | AzureActiveDirectoryIdentityProtection BehaviorAnalytics GCPAuditLogsDefinition MicrosoftCloudAppSecurity MicrosoftDefenderAdvancedThreatProtection MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml |
Version | 1.0.4 |
Arm template | 1cc0ba27-c5ca-411a-a779-fbc89e26be83.json |
// Filter alerts from specific Microsoft security products with medium and high severity
SecurityAlert
| where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
| where AlertSeverity has_any ("Medium", "High")
// Parse JSON entities and extend AlertTimeGenerated
| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
// Extract and process IP entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'ip'
| extend EntityIp = tostring(Entity.Address)
)
// Extract and process account entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'account'
| extend AccountObjectId = tostring(Entity.AadUserId)
)
// Filter out records with empty EntityIp
| where isnotempty(EntityIp)
// Summarize data and create sets of entities and system alert IDs
| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
by
AlertName,
ProductName,
AlertSeverity,
EntityIp,
Tactics,
Techniques,
ProviderName,
AlertTime= bin(AlertTimeGenerated, 1d),
AccountObjectId
// Join with GCPAuditLogs for VM instance creation
| join kind=inner (
GCPAuditLogs
| where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
| extend
GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
VMStatus = tostring(parse_json(Response).status),
VMOperation=tostring(parse_json(Response).operationType),
VMName= tostring(parse_json(Request).name),
VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
| where GCPUserUPN !has "gserviceaccount.com"
| where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
| project
GCPOperationTime=TimeGenerated,
VMName,
VMStatus,
MethodName,
GCPUserUPN,
ProjectId,
GCPUserIp,
GCPUserUA,
VMOperation,
VMType
)
on $left.EntityIp == $right.GCPUserIp
// Join with IdentityInfo to enrich user identity details
| join kind=inner (IdentityInfo
| distinct AccountObjectId, AccountUPN, JobTitle
)
on AccountObjectId
// Calculate the time difference between the alert and VM creation for further analysis
| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]
severity: Medium
customDetails:
GCPUserAgent: GCPUserUA
AlertIp: EntityIp
GCPVMType: VMType
AlertName: AlertName
GCPProjectId: ProjectId
AlertProDuctName: ProductName
AlertUserName: AccountUPN
CorrelationWith: GCPAuditLogs
AlertIds: SystemAlertIds
GCPVMName: VMName
AlertUserObjectId: AccountObjectId
version: 1.0.4
alertDetailsOverride:
alertDisplayNameFormat: IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}
alertSeverityColumnName: AlertSeverity
alertDescriptionFormat: This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.
alertDynamicProperties:
- value: Microsoft Security
alertProperty: ProviderName
- value: Microsoft Defender
alertProperty: ProductName
- value: Microsoft Defender
alertProperty: ProductComponentName
id: 1cc0ba27-c5ca-411a-a779-fbc89e26be83
queryFrequency: 1d
description: |
'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.'
requiredDataConnectors:
- dataTypes:
- GCPAuditLogs
connectorId: GCPAuditLogsDefinition
- dataTypes:
- SecurityAlert (IPC)
connectorId: AzureActiveDirectoryIdentityProtection
- dataTypes:
- SecurityAlert
connectorId: MicrosoftThreatProtection
- dataTypes:
- SecurityAlert (MDATP)
connectorId: MicrosoftDefenderAdvancedThreatProtection
- dataTypes:
- SecurityAlert
connectorId: MicrosoftCloudAppSecurity
- dataTypes:
- IdentityInfo
connectorId: BehaviorAnalytics
name: Suspicious VM Instance Creation Activity Detected
relevantTechniques:
- T1078
- T1106
- T1526
triggerThreshold: 0
entityMappings:
- fieldMappings:
- identifier: Address
columnName: GCPUserIp
entityType: IP
- fieldMappings:
- identifier: FullName
columnName: GCPUserUPN
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
entityType: Account
kind: Scheduled
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
query: |
// Filter alerts from specific Microsoft security products with medium and high severity
SecurityAlert
| where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
| where AlertSeverity has_any ("Medium", "High")
// Parse JSON entities and extend AlertTimeGenerated
| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
// Extract and process IP entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'ip'
| extend EntityIp = tostring(Entity.Address)
)
// Extract and process account entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'account'
| extend AccountObjectId = tostring(Entity.AadUserId)
)
// Filter out records with empty EntityIp
| where isnotempty(EntityIp)
// Summarize data and create sets of entities and system alert IDs
| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
by
AlertName,
ProductName,
AlertSeverity,
EntityIp,
Tactics,
Techniques,
ProviderName,
AlertTime= bin(AlertTimeGenerated, 1d),
AccountObjectId
// Join with GCPAuditLogs for VM instance creation
| join kind=inner (
GCPAuditLogs
| where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
| extend
GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
VMStatus = tostring(parse_json(Response).status),
VMOperation=tostring(parse_json(Response).operationType),
VMName= tostring(parse_json(Request).name),
VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
| where GCPUserUPN !has "gserviceaccount.com"
| where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
| project
GCPOperationTime=TimeGenerated,
VMName,
VMStatus,
MethodName,
GCPUserUPN,
ProjectId,
GCPUserIp,
GCPUserUA,
VMOperation,
VMType
)
on $left.EntityIp == $right.GCPUserIp
// Join with IdentityInfo to enrich user identity details
| join kind=inner (IdentityInfo
| distinct AccountObjectId, AccountUPN, JobTitle
)
on AccountObjectId
// Calculate the time difference between the alert and VM creation for further analysis
| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]
triggerOperator: gt
tactics:
- InitialAccess
- Execution
- Discovery
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1cc0ba27-c5ca-411a-a779-fbc89e26be83')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1cc0ba27-c5ca-411a-a779-fbc89e26be83')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.",
"alertDisplayNameFormat": "IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}",
"alertDynamicProperties": [
{
"alertProperty": "ProviderName",
"value": "Microsoft Security"
},
{
"alertProperty": "ProductName",
"value": "Microsoft Defender"
},
{
"alertProperty": "ProductComponentName",
"value": "Microsoft Defender"
}
],
"alertSeverityColumnName": "AlertSeverity"
},
"alertRuleTemplateName": "1cc0ba27-c5ca-411a-a779-fbc89e26be83",
"customDetails": {
"AlertIds": "SystemAlertIds",
"AlertIp": "EntityIp",
"AlertName": "AlertName",
"AlertProDuctName": "ProductName",
"AlertUserName": "AccountUPN",
"AlertUserObjectId": "AccountObjectId",
"CorrelationWith": "GCPAuditLogs",
"GCPProjectId": "ProjectId",
"GCPUserAgent": "GCPUserUA",
"GCPVMName": "VMName",
"GCPVMType": "VMType"
},
"description": "'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.'\n",
"displayName": "Suspicious VM Instance Creation Activity Detected",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "GCPUserIp",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "GCPUserUPN",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml",
"query": "// Filter alerts from specific Microsoft security products with medium and high severity\nSecurityAlert \n| where ProductName in (\"Microsoft 365 Defender\", \"Azure Active Directory\", \"Microsoft Defender Advanced Threat Protection\", \"Microsoft Cloud App Security\", \"Azure Active Directory Identity Protection\", \"Microsoft Defender ATP\")\n| where AlertSeverity has_any (\"Medium\", \"High\")\n// Parse JSON entities and extend AlertTimeGenerated\n| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated\n// Extract and process IP entities\n| mv-apply Entity = Entities on \n ( \n where Entity.Type == 'ip' \n | extend EntityIp = tostring(Entity.Address) \n ) \n// Extract and process account entities\n| mv-apply Entity = Entities on \n ( \n where Entity.Type == 'account' \n | extend AccountObjectId = tostring(Entity.AadUserId)\n )\n// Filter out records with empty EntityIp\n| where isnotempty(EntityIp)\n// Summarize data and create sets of entities and system alert IDs\n| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)\n by \n AlertName,\n ProductName,\n AlertSeverity,\n EntityIp,\n Tactics,\n Techniques,\n ProviderName,\n AlertTime= bin(AlertTimeGenerated, 1d),\n AccountObjectId\n// Join with GCPAuditLogs for VM instance creation\n| join kind=inner (\n GCPAuditLogs\n | where ServiceName == \"compute.googleapis.com\" and MethodName endswith \"instances.insert\"\n | extend\n GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\n GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\n VMStatus = tostring(parse_json(Response).status),\n VMOperation=tostring(parse_json(Response).operationType),\n VMName= tostring(parse_json(Request).name),\n VMType = tostring(split(parse_json(Request).machineType, \"/\")[-1])\n | where GCPUserUPN !has \"gserviceaccount.com\"\n | where VMOperation == \"insert\" and isnotempty(GCPUserIp) and GCPUserIp != \"private\"\n | project\n GCPOperationTime=TimeGenerated,\n VMName,\n VMStatus,\n MethodName,\n GCPUserUPN,\n ProjectId,\n GCPUserIp,\n GCPUserUA,\n VMOperation,\n VMType\n )\n on $left.EntityIp == $right.GCPUserIp \n// Join with IdentityInfo to enrich user identity details\n| join kind=inner (IdentityInfo \n | distinct AccountObjectId, AccountUPN, JobTitle\n )\n on AccountObjectId \n// Calculate the time difference between the alert and VM creation for further analysis\n| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, \"@\")[0], UPNSuffix = split(GCPUserUPN, \"@\")[1]\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery",
"Execution",
"InitialAccess"
],
"techniques": [
"T1078",
"T1106",
"T1526"
],
"templateVersion": "1.0.4",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}