Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Suspicious VM Instance Creation Activity Detected

Suspicious VM Instance Creation Activity Detected

Back
Id1cc0ba27-c5ca-411a-a779-fbc89e26be83
RulenameSuspicious VM Instance Creation Activity Detected
DescriptionThis detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.
SeverityMedium
TacticsInitialAccess
Execution
Discovery
TechniquesT1078
T1106
T1526
Required data connectorsAzureActiveDirectoryIdentityProtection
BehaviorAnalytics
GCPAuditLogsDefinition
MicrosoftCloudAppSecurity
MicrosoftDefenderAdvancedThreatProtection
MicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
Version1.0.4
Arm template1cc0ba27-c5ca-411a-a779-fbc89e26be83.json
Deploy To Azure
// Filter alerts from specific Microsoft security products with medium and high severity
SecurityAlert 
| where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
| where AlertSeverity has_any ("Medium", "High")
// Parse JSON entities and extend AlertTimeGenerated
| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
// Extract and process IP entities
| mv-apply Entity = Entities on 
    ( 
    where Entity.Type == 'ip' 
    | extend EntityIp = tostring(Entity.Address) 
    ) 
// Extract and process account entities
| mv-apply Entity = Entities on 
    ( 
    where Entity.Type == 'account' 
    | extend AccountObjectId = tostring(Entity.AadUserId)
    )
// Filter out records with empty EntityIp
| where isnotempty(EntityIp)
// Summarize data and create sets of entities and system alert IDs
| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
    by 
    AlertName,
    ProductName,
    AlertSeverity,
    EntityIp,
    Tactics,
    Techniques,
    ProviderName,
    AlertTime= bin(AlertTimeGenerated, 1d),
    AccountObjectId
// Join with GCPAuditLogs for VM instance creation
| join kind=inner (
    GCPAuditLogs
    | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
    | extend
        GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
        GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
        GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
        VMStatus =  tostring(parse_json(Response).status),
        VMOperation=tostring(parse_json(Response).operationType),
        VMName= tostring(parse_json(Request).name),
        VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
    | where GCPUserUPN !has "gserviceaccount.com"
    | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
    | project
        GCPOperationTime=TimeGenerated,
        VMName,
        VMStatus,
        MethodName,
        GCPUserUPN,
        ProjectId,
        GCPUserIp,
        GCPUserUA,
        VMOperation,
        VMType
    )
    on $left.EntityIp == $right.GCPUserIp 
// Join with IdentityInfo to enrich user identity details
| join kind=inner (IdentityInfo 
    | distinct AccountObjectId, AccountUPN, JobTitle
    )
    on AccountObjectId 
// Calculate the time difference between the alert and VM creation for further analysis
| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]

kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - GCPAuditLogs
  connectorId: GCPAuditLogsDefinition
- dataTypes:
  - SecurityAlert (IPC)
  connectorId: AzureActiveDirectoryIdentityProtection
- dataTypes:
  - SecurityAlert
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SecurityAlert (MDATP)
  connectorId: MicrosoftDefenderAdvancedThreatProtection
- dataTypes:
  - SecurityAlert
  connectorId: MicrosoftCloudAppSecurity
- dataTypes:
  - IdentityInfo
  connectorId: BehaviorAnalytics
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: GCPUserIp
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: GCPUserUPN
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
relevantTechniques:
- T1078
- T1106
- T1526
customDetails:
  AlertUserObjectId: AccountObjectId
  AlertIp: EntityIp
  GCPUserAgent: GCPUserUA
  CorrelationWith: GCPAuditLogs
  AlertName: AlertName
  GCPProjectId: ProjectId
  AlertProDuctName: ProductName
  GCPVMType: VMType
  AlertUserName: AccountUPN
  AlertIds: SystemAlertIds
  GCPVMName: VMName
tactics:
- InitialAccess
- Execution
- Discovery
alertDetailsOverride:
  alertDisplayNameFormat: IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}
  alertDynamicProperties:
  - value: Microsoft Security
    alertProperty: ProviderName
  - value: Microsoft Defender
    alertProperty: ProductName
  - value: Microsoft Defender
    alertProperty: ProductComponentName
  alertDescriptionFormat: This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.
  alertSeverityColumnName: AlertSeverity
name: Suspicious VM Instance Creation Activity Detected
queryFrequency: 1d
id: 1cc0ba27-c5ca-411a-a779-fbc89e26be83
severity: Medium
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
version: 1.0.4
description: |
    'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.'
query: |
  // Filter alerts from specific Microsoft security products with medium and high severity
  SecurityAlert 
  | where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
  | where AlertSeverity has_any ("Medium", "High")
  // Parse JSON entities and extend AlertTimeGenerated
  | extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
  // Extract and process IP entities
  | mv-apply Entity = Entities on 
      ( 
      where Entity.Type == 'ip' 
      | extend EntityIp = tostring(Entity.Address) 
      ) 
  // Extract and process account entities
  | mv-apply Entity = Entities on 
      ( 
      where Entity.Type == 'account' 
      | extend AccountObjectId = tostring(Entity.AadUserId)
      )
  // Filter out records with empty EntityIp
  | where isnotempty(EntityIp)
  // Summarize data and create sets of entities and system alert IDs
  | summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
      by 
      AlertName,
      ProductName,
      AlertSeverity,
      EntityIp,
      Tactics,
      Techniques,
      ProviderName,
      AlertTime= bin(AlertTimeGenerated, 1d),
      AccountObjectId
  // Join with GCPAuditLogs for VM instance creation
  | join kind=inner (
      GCPAuditLogs
      | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
      | extend
          GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
          GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
          GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
          VMStatus =  tostring(parse_json(Response).status),
          VMOperation=tostring(parse_json(Response).operationType),
          VMName= tostring(parse_json(Request).name),
          VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
      | where GCPUserUPN !has "gserviceaccount.com"
      | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
      | project
          GCPOperationTime=TimeGenerated,
          VMName,
          VMStatus,
          MethodName,
          GCPUserUPN,
          ProjectId,
          GCPUserIp,
          GCPUserUA,
          VMOperation,
          VMType
      )
      on $left.EntityIp == $right.GCPUserIp 
  // Join with IdentityInfo to enrich user identity details
  | join kind=inner (IdentityInfo 
      | distinct AccountObjectId, AccountUPN, JobTitle
      )
      on AccountObjectId 
  // Calculate the time difference between the alert and VM creation for further analysis
  | extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]  
triggerOperator: gt