Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Suspicious VM Instance Creation Activity Detected

Suspicious VM Instance Creation Activity Detected

Back
Id1cc0ba27-c5ca-411a-a779-fbc89e26be83
RulenameSuspicious VM Instance Creation Activity Detected
DescriptionThis detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.
SeverityMedium
TacticsInitialAccess
Execution
Discovery
TechniquesT1078
T1106
T1526
Required data connectorsAzureActiveDirectoryIdentityProtection
BehaviorAnalytics
GCPAuditLogsDefinition
MicrosoftCloudAppSecurity
MicrosoftDefenderAdvancedThreatProtection
MicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
Version1.0.4
Arm template1cc0ba27-c5ca-411a-a779-fbc89e26be83.json
Deploy To Azure
// Filter alerts from specific Microsoft security products with medium and high severity
SecurityAlert 
| where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
| where AlertSeverity has_any ("Medium", "High")
// Parse JSON entities and extend AlertTimeGenerated
| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
// Extract and process IP entities
| mv-apply Entity = Entities on 
    ( 
    where Entity.Type == 'ip' 
    | extend EntityIp = tostring(Entity.Address) 
    ) 
// Extract and process account entities
| mv-apply Entity = Entities on 
    ( 
    where Entity.Type == 'account' 
    | extend AccountObjectId = tostring(Entity.AadUserId)
    )
// Filter out records with empty EntityIp
| where isnotempty(EntityIp)
// Summarize data and create sets of entities and system alert IDs
| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
    by 
    AlertName,
    ProductName,
    AlertSeverity,
    EntityIp,
    Tactics,
    Techniques,
    ProviderName,
    AlertTime= bin(AlertTimeGenerated, 1d),
    AccountObjectId
// Join with GCPAuditLogs for VM instance creation
| join kind=inner (
    GCPAuditLogs
    | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
    | extend
        GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
        GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
        GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
        VMStatus =  tostring(parse_json(Response).status),
        VMOperation=tostring(parse_json(Response).operationType),
        VMName= tostring(parse_json(Request).name),
        VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
    | where GCPUserUPN !has "gserviceaccount.com"
    | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
    | project
        GCPOperationTime=TimeGenerated,
        VMName,
        VMStatus,
        MethodName,
        GCPUserUPN,
        ProjectId,
        GCPUserIp,
        GCPUserUA,
        VMOperation,
        VMType
    )
    on $left.EntityIp == $right.GCPUserIp 
// Join with IdentityInfo to enrich user identity details
| join kind=inner (IdentityInfo 
    | distinct AccountObjectId, AccountUPN, JobTitle
    )
    on AccountObjectId 
// Calculate the time difference between the alert and VM creation for further analysis
| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]

relevantTechniques:
- T1078
- T1106
- T1526
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: GCPUserIp
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: GCPUserUPN
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
version: 1.0.4
id: 1cc0ba27-c5ca-411a-a779-fbc89e26be83
severity: Medium
kind: Scheduled
queryFrequency: 1d
description: |
    'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.'
requiredDataConnectors:
- connectorId: GCPAuditLogsDefinition
  dataTypes:
  - GCPAuditLogs
- connectorId: AzureActiveDirectoryIdentityProtection
  dataTypes:
  - SecurityAlert (IPC)
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - SecurityAlert
- connectorId: MicrosoftDefenderAdvancedThreatProtection
  dataTypes:
  - SecurityAlert (MDATP)
- connectorId: MicrosoftCloudAppSecurity
  dataTypes:
  - SecurityAlert
- connectorId: BehaviorAnalytics
  dataTypes:
  - IdentityInfo
triggerOperator: gt
name: Suspicious VM Instance Creation Activity Detected
tactics:
- InitialAccess
- Execution
- Discovery
alertDetailsOverride:
  alertDescriptionFormat: This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.
  alertSeverityColumnName: AlertSeverity
  alertDynamicProperties:
  - value: Microsoft Security
    alertProperty: ProviderName
  - value: Microsoft Defender
    alertProperty: ProductName
  - value: Microsoft Defender
    alertProperty: ProductComponentName
  alertDisplayNameFormat: IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
triggerThreshold: 0
queryPeriod: 1d
query: |
  // Filter alerts from specific Microsoft security products with medium and high severity
  SecurityAlert 
  | where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
  | where AlertSeverity has_any ("Medium", "High")
  // Parse JSON entities and extend AlertTimeGenerated
  | extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
  // Extract and process IP entities
  | mv-apply Entity = Entities on 
      ( 
      where Entity.Type == 'ip' 
      | extend EntityIp = tostring(Entity.Address) 
      ) 
  // Extract and process account entities
  | mv-apply Entity = Entities on 
      ( 
      where Entity.Type == 'account' 
      | extend AccountObjectId = tostring(Entity.AadUserId)
      )
  // Filter out records with empty EntityIp
  | where isnotempty(EntityIp)
  // Summarize data and create sets of entities and system alert IDs
  | summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
      by 
      AlertName,
      ProductName,
      AlertSeverity,
      EntityIp,
      Tactics,
      Techniques,
      ProviderName,
      AlertTime= bin(AlertTimeGenerated, 1d),
      AccountObjectId
  // Join with GCPAuditLogs for VM instance creation
  | join kind=inner (
      GCPAuditLogs
      | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
      | extend
          GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
          GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
          GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
          VMStatus =  tostring(parse_json(Response).status),
          VMOperation=tostring(parse_json(Response).operationType),
          VMName= tostring(parse_json(Request).name),
          VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
      | where GCPUserUPN !has "gserviceaccount.com"
      | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
      | project
          GCPOperationTime=TimeGenerated,
          VMName,
          VMStatus,
          MethodName,
          GCPUserUPN,
          ProjectId,
          GCPUserIp,
          GCPUserUA,
          VMOperation,
          VMType
      )
      on $left.EntityIp == $right.GCPUserIp 
  // Join with IdentityInfo to enrich user identity details
  | join kind=inner (IdentityInfo 
      | distinct AccountObjectId, AccountUPN, JobTitle
      )
      on AccountObjectId 
  // Calculate the time difference between the alert and VM creation for further analysis
  | extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]  
customDetails:
  CorrelationWith: GCPAuditLogs
  AlertIp: EntityIp
  GCPVMType: VMType
  GCPProjectId: ProjectId
  AlertUserName: AccountUPN
  AlertName: AlertName
  GCPUserAgent: GCPUserUA
  AlertUserObjectId: AccountObjectId
  GCPVMName: VMName
  AlertProDuctName: ProductName
  AlertIds: SystemAlertIds