Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Suspicious VM Instance Creation Activity Detected

Back
Id1cc0ba27-c5ca-411a-a779-fbc89e26be83
RulenameSuspicious VM Instance Creation Activity Detected
Description

This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.
SeverityMedium
TacticsInitialAccess
Execution
Discovery
TechniquesT1078
T1106
T1526
Required data connectorsAzureActiveDirectoryIdentityProtection
BehaviorAnalytics
GCPAuditLogsDefinition
MicrosoftCloudAppSecurity
MicrosoftDefenderAdvancedThreatProtection
MicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
Version1.0.3
Arm template1cc0ba27-c5ca-411a-a779-fbc89e26be83.json
Deploy To Azure
// Filter alerts from specific Microsoft security products with medium and high severity
SecurityAlert 
| where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
| where AlertSeverity has_any ("Medium", "High")
// Parse JSON entities and extend AlertTimeGenerated
| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
// Extract and process IP entities
| mv-apply Entity = Entities on 
    ( 
    where Entity.Type == 'ip' 
    | extend EntityIp = tostring(Entity.Address) 
    ) 
// Extract and process account entities
| mv-apply Entity = Entities on 
    ( 
    where Entity.Type == 'account' 
    | extend AccountObjectId = tostring(Entity.AadUserId)
    )
// Filter out records with empty EntityIp
| where isnotempty(EntityIp)
// Summarize data and create sets of entities and system alert IDs
| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
    by 
    AlertName,
    ProductName,
    AlertSeverity,
    EntityIp,
    Tactics,
    Techniques,
    ProviderName,
    AlertTime= bin(AlertTimeGenerated, 1d),
    AccountObjectId
// Join with GCPAuditLogs for VM instance creation
| join kind=inner (
    GCPAuditLogs
    | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
    | extend
        GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
        GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
        GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
        VMStatus =  tostring(parse_json(Response).status),
        VMOperation=tostring(parse_json(Response).operationType),
        VMName= tostring(parse_json(Request).name),
        VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
    | where GCPUserUPN !has "gserviceaccount.com"
    | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
    | project
        GCPOperationTime=TimeGenerated,
        VMName,
        VMStatus,
        MethodName,
        GCPUserUPN,
        ProjectId,
        GCPUserIp,
        GCPUserUA,
        VMOperation,
        VMType
    )
    on $left.EntityIp == $right.GCPUserIp 
// Join with IdentityInfo to enrich user identity details
| join kind=inner (IdentityInfo 
    | distinct AccountObjectId, AccountUPN, JobTitle
    )
    on AccountObjectId 
// Calculate the time difference between the alert and VM creation for further analysis
| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]
customDetails:
  GCPProjectId: ProjectId
  CorrelationWith: GCPAuditLogs
  GCPVMType: VMType
  AlertIp: EntityIp
  AlertIds: SystemAlertIds
  GCPVMName: VMName
  AlertUserObjectId: AccountObjectId
  AlertProDuctName: ProductName
  AlertUserName: AccountUPN
  GCPUserAgent: GCPUserUA
  AlertName: AlertName
alertDetailsOverride:
  alertDynamicProperties:
  - value: Microsoft Security
    alertProperty: ProviderName
  - value: Microsoft Defender
    alertProperty: ProductName
  - value: Microsoft Defender
    alertProperty: ProductComponentName
  alertDisplayNameFormat: IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}
  alertSeverityColumnName: AlertSeverity
  alertDescriptionFormat: This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.
triggerThreshold: 0
relevantTechniques:
- T1078
- T1106
- T1526
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
requiredDataConnectors:
- dataTypes:
  - GCPAuditLogs
  connectorId: GCPAuditLogsDefinition
- dataTypes:
  - SecurityAlert (IPC)
  connectorId: AzureActiveDirectoryIdentityProtection
- dataTypes:
  - SecurityAlert
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SecurityAlert (MDATP)
  connectorId: MicrosoftDefenderAdvancedThreatProtection
- dataTypes:
  - SecurityAlert
  connectorId: MicrosoftCloudAppSecurity
- dataTypes:
  - IdentityInfo
  connectorId: BehaviorAnalytics
queryPeriod: 1d
tactics:
- InitialAccess
- Execution
- Discovery
severity: Medium
triggerOperator: gt
description: |
  '
  This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.
  '  
query: |
  // Filter alerts from specific Microsoft security products with medium and high severity
  SecurityAlert 
  | where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
  | where AlertSeverity has_any ("Medium", "High")
  // Parse JSON entities and extend AlertTimeGenerated
  | extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
  // Extract and process IP entities
  | mv-apply Entity = Entities on 
      ( 
      where Entity.Type == 'ip' 
      | extend EntityIp = tostring(Entity.Address) 
      ) 
  // Extract and process account entities
  | mv-apply Entity = Entities on 
      ( 
      where Entity.Type == 'account' 
      | extend AccountObjectId = tostring(Entity.AadUserId)
      )
  // Filter out records with empty EntityIp
  | where isnotempty(EntityIp)
  // Summarize data and create sets of entities and system alert IDs
  | summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
      by 
      AlertName,
      ProductName,
      AlertSeverity,
      EntityIp,
      Tactics,
      Techniques,
      ProviderName,
      AlertTime= bin(AlertTimeGenerated, 1d),
      AccountObjectId
  // Join with GCPAuditLogs for VM instance creation
  | join kind=inner (
      GCPAuditLogs
      | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
      | extend
          GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
          GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
          GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
          VMStatus =  tostring(parse_json(Response).status),
          VMOperation=tostring(parse_json(Response).operationType),
          VMName= tostring(parse_json(Request).name),
          VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
      | where GCPUserUPN !has "gserviceaccount.com"
      | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
      | project
          GCPOperationTime=TimeGenerated,
          VMName,
          VMStatus,
          MethodName,
          GCPUserUPN,
          ProjectId,
          GCPUserIp,
          GCPUserUA,
          VMOperation,
          VMType
      )
      on $left.EntityIp == $right.GCPUserIp 
  // Join with IdentityInfo to enrich user identity details
  | join kind=inner (IdentityInfo 
      | distinct AccountObjectId, AccountUPN, JobTitle
      )
      on AccountObjectId 
  // Calculate the time difference between the alert and VM creation for further analysis
  | extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]  
name: Suspicious VM Instance Creation Activity Detected
version: 1.0.3
kind: Scheduled
id: 1cc0ba27-c5ca-411a-a779-fbc89e26be83
queryFrequency: 1d
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: GCPUserIp
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: GCPUserUPN
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1cc0ba27-c5ca-411a-a779-fbc89e26be83')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1cc0ba27-c5ca-411a-a779-fbc89e26be83')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.",
          "alertDisplayNameFormat": "IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProviderName",
              "value": "Microsoft Security"
            },
            {
              "alertProperty": "ProductName",
              "value": "Microsoft Defender"
            },
            {
              "alertProperty": "ProductComponentName",
              "value": "Microsoft Defender"
            }
          ],
          "alertSeverityColumnName": "AlertSeverity"
        },
        "alertRuleTemplateName": "1cc0ba27-c5ca-411a-a779-fbc89e26be83",
        "customDetails": {
          "AlertIds": "SystemAlertIds",
          "AlertIp": "EntityIp",
          "AlertName": "AlertName",
          "AlertProDuctName": "ProductName",
          "AlertUserName": "AccountUPN",
          "AlertUserObjectId": "AccountObjectId",
          "CorrelationWith": "GCPAuditLogs",
          "GCPProjectId": "ProjectId",
          "GCPUserAgent": "GCPUserUA",
          "GCPVMName": "VMName",
          "GCPVMType": "VMType"
        },
        "description": "'\nThis detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.\n'\n",
        "displayName": "Suspicious VM Instance Creation Activity Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "GCPUserIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "GCPUserUPN",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml",
        "query": "// Filter alerts from specific Microsoft security products with medium and high severity\nSecurityAlert \n| where ProductName in (\"Microsoft 365 Defender\", \"Azure Active Directory\", \"Microsoft Defender Advanced Threat Protection\", \"Microsoft Cloud App Security\", \"Azure Active Directory Identity Protection\", \"Microsoft Defender ATP\")\n| where AlertSeverity has_any (\"Medium\", \"High\")\n// Parse JSON entities and extend AlertTimeGenerated\n| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated\n// Extract and process IP entities\n| mv-apply Entity = Entities on \n    ( \n    where Entity.Type == 'ip' \n    | extend EntityIp = tostring(Entity.Address) \n    ) \n// Extract and process account entities\n| mv-apply Entity = Entities on \n    ( \n    where Entity.Type == 'account' \n    | extend AccountObjectId = tostring(Entity.AadUserId)\n    )\n// Filter out records with empty EntityIp\n| where isnotempty(EntityIp)\n// Summarize data and create sets of entities and system alert IDs\n| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)\n    by \n    AlertName,\n    ProductName,\n    AlertSeverity,\n    EntityIp,\n    Tactics,\n    Techniques,\n    ProviderName,\n    AlertTime= bin(AlertTimeGenerated, 1d),\n    AccountObjectId\n// Join with GCPAuditLogs for VM instance creation\n| join kind=inner (\n    GCPAuditLogs\n    | where ServiceName == \"compute.googleapis.com\" and MethodName endswith \"instances.insert\"\n    | extend\n        GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\n        GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\n        GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\n        VMStatus =  tostring(parse_json(Response).status),\n        VMOperation=tostring(parse_json(Response).operationType),\n        VMName= tostring(parse_json(Request).name),\n        VMType = tostring(split(parse_json(Request).machineType, \"/\")[-1])\n    | where GCPUserUPN !has \"gserviceaccount.com\"\n    | where VMOperation == \"insert\" and isnotempty(GCPUserIp) and GCPUserIp != \"private\"\n    | project\n        GCPOperationTime=TimeGenerated,\n        VMName,\n        VMStatus,\n        MethodName,\n        GCPUserUPN,\n        ProjectId,\n        GCPUserIp,\n        GCPUserUA,\n        VMOperation,\n        VMType\n    )\n    on $left.EntityIp == $right.GCPUserIp \n// Join with IdentityInfo to enrich user identity details\n| join kind=inner (IdentityInfo \n    | distinct AccountObjectId, AccountUPN, JobTitle\n    )\n    on AccountObjectId \n// Calculate the time difference between the alert and VM creation for further analysis\n| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, \"@\")[0], UPNSuffix = split(GCPUserUPN, \"@\")[1]\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "Execution",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1106",
          "T1526"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}