Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

NRT Creation of expensive computes in Azure

Back
Id56fe0db0-6779-46fa-b3c5-006082a53064
RulenameNRT Creation of expensive computes in Azure
DescriptionIdentifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.

Adversary may create new or update existing virtual machines sizes to evade defenses

or use it for cryptomining purposes.

For Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes

Azure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions
SeverityMedium
TacticsDefenseEvasion
TechniquesT1578
Required data connectorsAzureActivity
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/NRT_Creation_of_Expensive_Computes_in_Azure.yaml
Version2.0.0
Arm template56fe0db0-6779-46fa-b3c5-006082a53064.json
Deploy To Azure
let tokens = dynamic(["416","208","128","120","96","80","72","64","48","44","40","g5","gs5","g4","gs4","nc12","nc24","nv12"]);
let operationList = dynamic(["microsoft.compute/virtualmachines/write", "microsoft.resources/deployments/write"]);
AzureActivity
| where tolower(OperationNameValue) in (operationList)
| where ActivityStatusValue == "Accepted" 
| where isnotempty(Properties)
| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))
| where isnotempty(vmSize)
| where vmSize has_any (tokens) 
| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)
| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)
| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
description: |
  'Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.
  Adversary may create new or update existing virtual machines sizes to evade defenses 
  or use it for cryptomining purposes.
  For Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes 
  Azure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions'  
name: NRT Creation of expensive computes in Azure
tactics:
- DefenseEvasion
status: Available
relevantTechniques:
- T1578
query: |
  let tokens = dynamic(["416","208","128","120","96","80","72","64","48","44","40","g5","gs5","g4","gs4","nc12","nc24","nv12"]);
  let operationList = dynamic(["microsoft.compute/virtualmachines/write", "microsoft.resources/deployments/write"]);
  AzureActivity
  | where tolower(OperationNameValue) in (operationList)
  | where ActivityStatusValue == "Accepted" 
  | where isnotempty(Properties)
  | extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))
  | where isnotempty(vmSize)
  | where vmSize has_any (tokens) 
  | extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)
  | extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)
  | project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize
  | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/NRT_Creation_of_Expensive_Computes_in_Azure.yaml
severity: Medium
version: 2.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
id: 56fe0db0-6779-46fa-b3c5-006082a53064
requiredDataConnectors:
- connectorId: AzureActivity
  dataTypes:
  - AzureActivity
kind: NRT
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/56fe0db0-6779-46fa-b3c5-006082a53064')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/56fe0db0-6779-46fa-b3c5-006082a53064')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Nrt",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "NRT Creation of expensive computes in Azure",
        "description": "'Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\nAdversary may create new or update existing virtual machines sizes to evade defenses \nor use it for cryptomining purposes.\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let tokens = dynamic([\"416\",\"208\",\"128\",\"120\",\"96\",\"80\",\"72\",\"64\",\"48\",\"44\",\"40\",\"g5\",\"gs5\",\"g4\",\"gs4\",\"nc12\",\"nc24\",\"nv12\"]);\nlet operationList = dynamic([\"microsoft.compute/virtualmachines/write\", \"microsoft.resources/deployments/write\"]);\nAzureActivity\n| where tolower(OperationNameValue) in (operationList)\n| where ActivityStatusValue == \"Accepted\" \n| where isnotempty(Properties)\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\n| where isnotempty(vmSize)\n| where vmSize has_any (tokens) \n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1578"
        ],
        "alertRuleTemplateName": "56fe0db0-6779-46fa-b3c5-006082a53064",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/NRT_Creation_of_Expensive_Computes_in_Azure.yaml",
        "templateVersion": "2.0.0"
      }
    }
  ]
}