Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Subscription moved to another tenant

Subscription moved to another tenant

Back
Id48c026d8-7f36-4a95-9568-6f1420d66e37
RulenameSubscription moved to another tenant
DescriptionThis detection uses AzureActivity logs (Security category) to identify when a subscription is moved to another tenant.

A threat actor may move a subscription into their own tenant to circumvent local resource deployment and logging policies.

Once moved, threat actors may deploy resources and perform malicious activities such as crypto mining.

This is a technique known as “subscription hijacking”. More information can be found here: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
SeverityLow
TacticsImpact
TechniquesT1496
Required data connectorsAzureActivity
KindScheduled
Query frequency5m
Query period20m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/SubscriptionMigration.yaml
Version1.0.1
Arm template48c026d8-7f36-4a95-9568-6f1420d66e37.json
Deploy To Azure
let queryFrequency = 5m;
let eventCapture = "moved from tenant ([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}) to tenant ([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})";
AzureActivity
| where ingestion_time() > ago(queryFrequency)
| where CategoryValue =~ "Security"
| where OperationNameValue =~ "Microsoft.Subscription/updateTenant/action"
| extend Properties_d = coalesce(parse_json(Properties), Properties_d)
| where isnotempty(Properties_d)
| extend Summary = tostring(Properties_d.message)
| extend EventCapture = extract_all(eventCapture, Summary)
| extend SourceTenantId = iff(isnotempty(EventCapture), EventCapture[0][0], "")
| extend DestinationTenantId = iff(isnotempty(EventCapture), EventCapture[0][1], "")
| extend 
    Name = split(Caller, "@", 0)[0],
    UPNSuffix = split(Caller, "@", 1)[0]

queryPeriod: 20m
query: |
  let queryFrequency = 5m;
  let eventCapture = "moved from tenant ([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}) to tenant ([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})";
  AzureActivity
  | where ingestion_time() > ago(queryFrequency)
  | where CategoryValue =~ "Security"
  | where OperationNameValue =~ "Microsoft.Subscription/updateTenant/action"
  | extend Properties_d = coalesce(parse_json(Properties), Properties_d)
  | where isnotempty(Properties_d)
  | extend Summary = tostring(Properties_d.message)
  | extend EventCapture = extract_all(eventCapture, Summary)
  | extend SourceTenantId = iff(isnotempty(EventCapture), EventCapture[0][0], "")
  | extend DestinationTenantId = iff(isnotempty(EventCapture), EventCapture[0][1], "")
  | extend 
      Name = split(Caller, "@", 0)[0],
      UPNSuffix = split(Caller, "@", 1)[0]  
version: 1.0.1
name: Subscription moved to another tenant
entityMappings:
- fieldMappings:
  - columnName: _ResourceId
    identifier: ResourceId
  entityType: AzureResource
- fieldMappings:
  - columnName: Caller
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/SubscriptionMigration.yaml
alertDetailsOverride:
  alertDisplayNameFormat: |
        Subscription {{SubscriptionId}} changed tenants
  alertDescriptionFormat: |
    The user {{Caller}} moved a subscription:

    {{Summary}}

    If this was not expected, it may indicate a subscription hijacking event.    
requiredDataConnectors:
- connectorId: AzureActivity
  dataTypes:
  - AzureActivity
description: |
  'This detection uses AzureActivity logs (Security category) to identify when a subscription is moved to another tenant.
  A threat actor may move a subscription into their own tenant to circumvent local resource deployment and logging policies.
  Once moved, threat actors may deploy resources and perform malicious activities such as crypto mining.
  This is a technique known as "subscription hijacking". More information can be found here: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121'  
kind: Scheduled
queryFrequency: 5m
severity: Low
relevantTechniques:
- T1496
triggerOperator: gt
triggerThreshold: 0
customDetails:
  DestinationTenantId: DestinationTenantId
  SourceTenantId: SourceTenantId
tactics:
- Impact
id: 48c026d8-7f36-4a95-9568-6f1420d66e37