Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Suspicious VM Instance Creation Activity Detected

Back
Id1cc0ba27-c5ca-411a-a779-fbc89e26be83
RulenameSuspicious VM Instance Creation Activity Detected
DescriptionThis detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.
SeverityMedium
TacticsInitialAccess
Execution
Discovery
TechniquesT1078
T1106
T1526
Required data connectorsAzureActiveDirectoryIdentityProtection
BehaviorAnalytics
GCPAuditLogsDefinition
MicrosoftCloudAppSecurity
MicrosoftDefenderAdvancedThreatProtection
MicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
Version1.0.4
Arm template1cc0ba27-c5ca-411a-a779-fbc89e26be83.json
Deploy To Azure
// Filter alerts from specific Microsoft security products with medium and high severity
SecurityAlert 
| where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
| where AlertSeverity has_any ("Medium", "High")
// Parse JSON entities and extend AlertTimeGenerated
| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
// Extract and process IP entities
| mv-apply Entity = Entities on 
    ( 
    where Entity.Type == 'ip' 
    | extend EntityIp = tostring(Entity.Address) 
    ) 
// Extract and process account entities
| mv-apply Entity = Entities on 
    ( 
    where Entity.Type == 'account' 
    | extend AccountObjectId = tostring(Entity.AadUserId)
    )
// Filter out records with empty EntityIp
| where isnotempty(EntityIp)
// Summarize data and create sets of entities and system alert IDs
| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
    by 
    AlertName,
    ProductName,
    AlertSeverity,
    EntityIp,
    Tactics,
    Techniques,
    ProviderName,
    AlertTime= bin(AlertTimeGenerated, 1d),
    AccountObjectId
// Join with GCPAuditLogs for VM instance creation
| join kind=inner (
    GCPAuditLogs
    | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
    | extend
        GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
        GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
        GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
        VMStatus =  tostring(parse_json(Response).status),
        VMOperation=tostring(parse_json(Response).operationType),
        VMName= tostring(parse_json(Request).name),
        VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
    | where GCPUserUPN !has "gserviceaccount.com"
    | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
    | project
        GCPOperationTime=TimeGenerated,
        VMName,
        VMStatus,
        MethodName,
        GCPUserUPN,
        ProjectId,
        GCPUserIp,
        GCPUserUA,
        VMOperation,
        VMType
    )
    on $left.EntityIp == $right.GCPUserIp 
// Join with IdentityInfo to enrich user identity details
| join kind=inner (IdentityInfo 
    | distinct AccountObjectId, AccountUPN, JobTitle
    )
    on AccountObjectId 
// Calculate the time difference between the alert and VM creation for further analysis
| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]
queryPeriod: 1d
version: 1.0.4
tactics:
- InitialAccess
- Execution
- Discovery
queryFrequency: 1d
id: 1cc0ba27-c5ca-411a-a779-fbc89e26be83
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - GCPAuditLogs
  connectorId: GCPAuditLogsDefinition
- dataTypes:
  - SecurityAlert (IPC)
  connectorId: AzureActiveDirectoryIdentityProtection
- dataTypes:
  - SecurityAlert
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SecurityAlert (MDATP)
  connectorId: MicrosoftDefenderAdvancedThreatProtection
- dataTypes:
  - SecurityAlert
  connectorId: MicrosoftCloudAppSecurity
- dataTypes:
  - IdentityInfo
  connectorId: BehaviorAnalytics
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: GCPUserIp
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: GCPUserUPN
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
triggerThreshold: 0
relevantTechniques:
- T1078
- T1106
- T1526
query: |
  // Filter alerts from specific Microsoft security products with medium and high severity
  SecurityAlert 
  | where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security", "Azure Active Directory Identity Protection", "Microsoft Defender ATP")
  | where AlertSeverity has_any ("Medium", "High")
  // Parse JSON entities and extend AlertTimeGenerated
  | extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated
  // Extract and process IP entities
  | mv-apply Entity = Entities on 
      ( 
      where Entity.Type == 'ip' 
      | extend EntityIp = tostring(Entity.Address) 
      ) 
  // Extract and process account entities
  | mv-apply Entity = Entities on 
      ( 
      where Entity.Type == 'account' 
      | extend AccountObjectId = tostring(Entity.AadUserId)
      )
  // Filter out records with empty EntityIp
  | where isnotempty(EntityIp)
  // Summarize data and create sets of entities and system alert IDs
  | summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)
      by 
      AlertName,
      ProductName,
      AlertSeverity,
      EntityIp,
      Tactics,
      Techniques,
      ProviderName,
      AlertTime= bin(AlertTimeGenerated, 1d),
      AccountObjectId
  // Join with GCPAuditLogs for VM instance creation
  | join kind=inner (
      GCPAuditLogs
      | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
      | extend
          GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
          GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
          GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
          VMStatus =  tostring(parse_json(Response).status),
          VMOperation=tostring(parse_json(Response).operationType),
          VMName= tostring(parse_json(Request).name),
          VMType = tostring(split(parse_json(Request).machineType, "/")[-1])
      | where GCPUserUPN !has "gserviceaccount.com"
      | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
      | project
          GCPOperationTime=TimeGenerated,
          VMName,
          VMStatus,
          MethodName,
          GCPUserUPN,
          ProjectId,
          GCPUserIp,
          GCPUserUA,
          VMOperation,
          VMType
      )
      on $left.EntityIp == $right.GCPUserIp 
  // Join with IdentityInfo to enrich user identity details
  | join kind=inner (IdentityInfo 
      | distinct AccountObjectId, AccountUPN, JobTitle
      )
      on AccountObjectId 
  // Calculate the time difference between the alert and VM creation for further analysis
  | extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, "@")[0], UPNSuffix = split(GCPUserUPN, "@")[1]  
kind: Scheduled
name: Suspicious VM Instance Creation Activity Detected
customDetails:
  GCPProjectId: ProjectId
  AlertUserName: AccountUPN
  AlertUserObjectId: AccountObjectId
  AlertProDuctName: ProductName
  GCPVMType: VMType
  AlertName: AlertName
  GCPVMName: VMName
  AlertIp: EntityIp
  AlertIds: SystemAlertIds
  GCPUserAgent: GCPUserUA
  CorrelationWith: GCPAuditLogs
description: |
    'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.'
alertDetailsOverride:
  alertDescriptionFormat: This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.
  alertDynamicProperties:
  - alertProperty: ProviderName
    value: Microsoft Security
  - alertProperty: ProductName
    value: Microsoft Defender
  - alertProperty: ProductComponentName
    value: Microsoft Defender
  alertSeverityColumnName: AlertSeverity
  alertDisplayNameFormat: IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1cc0ba27-c5ca-411a-a779-fbc89e26be83')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1cc0ba27-c5ca-411a-a779-fbc89e26be83')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "This detection correlates '{{ProductName}}' Alert IP addresse Entity found in VM instance creation in GCP {{ProjectId}}. It identifies successful compute instance creation, from suspicious IP addresse. By joining these datasets on network entities and IP addresses, it detects unauthorized Initial access attempts across GCP environments.",
          "alertDisplayNameFormat": "IP address {{GCPUserIp}} Assocated with {{AlertName}} found in GCP VM creation event by {{GCPUserUPN}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProviderName",
              "value": "Microsoft Security"
            },
            {
              "alertProperty": "ProductName",
              "value": "Microsoft Defender"
            },
            {
              "alertProperty": "ProductComponentName",
              "value": "Microsoft Defender"
            }
          ],
          "alertSeverityColumnName": "AlertSeverity"
        },
        "alertRuleTemplateName": "1cc0ba27-c5ca-411a-a779-fbc89e26be83",
        "customDetails": {
          "AlertIds": "SystemAlertIds",
          "AlertIp": "EntityIp",
          "AlertName": "AlertName",
          "AlertProDuctName": "ProductName",
          "AlertUserName": "AccountUPN",
          "AlertUserObjectId": "AccountObjectId",
          "CorrelationWith": "GCPAuditLogs",
          "GCPProjectId": "ProjectId",
          "GCPUserAgent": "GCPUserUA",
          "GCPVMName": "VMName",
          "GCPVMType": "VMType"
        },
        "description": "'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.'\n",
        "displayName": "Suspicious VM Instance Creation Activity Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "GCPUserIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "GCPUserUPN",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml",
        "query": "// Filter alerts from specific Microsoft security products with medium and high severity\nSecurityAlert \n| where ProductName in (\"Microsoft 365 Defender\", \"Azure Active Directory\", \"Microsoft Defender Advanced Threat Protection\", \"Microsoft Cloud App Security\", \"Azure Active Directory Identity Protection\", \"Microsoft Defender ATP\")\n| where AlertSeverity has_any (\"Medium\", \"High\")\n// Parse JSON entities and extend AlertTimeGenerated\n| extend Entities = parse_json(Entities), AlertTimeGenerated=TimeGenerated\n// Extract and process IP entities\n| mv-apply Entity = Entities on \n    ( \n    where Entity.Type == 'ip' \n    | extend EntityIp = tostring(Entity.Address) \n    ) \n// Extract and process account entities\n| mv-apply Entity = Entities on \n    ( \n    where Entity.Type == 'account' \n    | extend AccountObjectId = tostring(Entity.AadUserId)\n    )\n// Filter out records with empty EntityIp\n| where isnotempty(EntityIp)\n// Summarize data and create sets of entities and system alert IDs\n| summarize Entitys=make_set(Entity), SystemAlertIds=make_set(SystemAlertId)\n    by \n    AlertName,\n    ProductName,\n    AlertSeverity,\n    EntityIp,\n    Tactics,\n    Techniques,\n    ProviderName,\n    AlertTime= bin(AlertTimeGenerated, 1d),\n    AccountObjectId\n// Join with GCPAuditLogs for VM instance creation\n| join kind=inner (\n    GCPAuditLogs\n    | where ServiceName == \"compute.googleapis.com\" and MethodName endswith \"instances.insert\"\n    | extend\n        GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\n        GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\n        GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\n        VMStatus =  tostring(parse_json(Response).status),\n        VMOperation=tostring(parse_json(Response).operationType),\n        VMName= tostring(parse_json(Request).name),\n        VMType = tostring(split(parse_json(Request).machineType, \"/\")[-1])\n    | where GCPUserUPN !has \"gserviceaccount.com\"\n    | where VMOperation == \"insert\" and isnotempty(GCPUserIp) and GCPUserIp != \"private\"\n    | project\n        GCPOperationTime=TimeGenerated,\n        VMName,\n        VMStatus,\n        MethodName,\n        GCPUserUPN,\n        ProjectId,\n        GCPUserIp,\n        GCPUserUA,\n        VMOperation,\n        VMType\n    )\n    on $left.EntityIp == $right.GCPUserIp \n// Join with IdentityInfo to enrich user identity details\n| join kind=inner (IdentityInfo \n    | distinct AccountObjectId, AccountUPN, JobTitle\n    )\n    on AccountObjectId \n// Calculate the time difference between the alert and VM creation for further analysis\n| extend TimeDiff= datetime_diff('day', AlertTime, GCPOperationTime),Name = split(GCPUserUPN, \"@\")[0], UPNSuffix = split(GCPUserUPN, \"@\")[1]\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "Execution",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1106",
          "T1526"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}