Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cross-Cloud Suspicious Compute resource creation in GCP

Back
Id5c847e47-0a07-4c01-ab99-5817ad6cb11e
RulenameCross-Cloud Suspicious Compute resource creation in GCP
DescriptionThis detection identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.
SeverityLow
TacticsInitialAccess
Execution
Persistence
PrivilegeEscalation
CredentialAccess
Discovery
LateralMovement
TechniquesT1566
T1059
T1078
T1547
T1548
T1069
T1552
Required data connectorsAWSS3
GCPAuditLogsDefinition
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/Cross-CloudSuspiciousComputeResourcecreationinGCP.yaml
Version1.0.2
Arm template5c847e47-0a07-4c01-ab99-5817ad6cb11e.json
Deploy To Azure
// Materialize AWS GuardDuty findings
let AwsAlert = materialize (
    AWSGuardDuty
    // Filter for specific activity types in AWS GuardDuty
    | where ActivityType has_any (
        "Backdoor:EC2/DenialOfService.UnusualProtocol",
        "CredentialAccess:Kubernetes/MaliciousIPCaller",
        "CredentialAccess:Kubernetes/SuccessfulAnonymousAccess",
        "CredentialAccess:Kubernetes/TorIPCaller",
        "CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce",
        "CredentialAccess:RDS/TorIPCaller.FailedLogin",
        "CredentialAccess:RDS/TorIPCaller.SuccessfulLogin",
        "Discovery:Kubernetes/MaliciousIPCaller",
        "Recon:IAMUser/MaliciousIPCaller.Custom",
        "UnauthorizedAccess:EC2/TorClient",
        "UnauthorizedAccess:IAMUser/TorIPCaller",
        "UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom",
        "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS",
        "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS",
        "UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B"
        )
    // Extract and transform AWS GuardDuty attributes
    | extend
        AWSAlertId = Id, 
        AWSAlertTitle = Title,
        AWSAlertDescription = Description,
        AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),
        AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),
        AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),
        InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),
        AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,
        AWSAlertTime = TimeCreated,
        AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=', Id)),
        Severity = 
        case (
    Severity >= 7.0,
    "High",
    Severity between (4.0 .. 6.9),
    "Medium",
    Severity between (1.0 .. 3.9),
    "Low",
    "Unknown"
)
    // Extract API call details and count
    | mv-apply AIPCall = AWSTargetingService on 
        ( 
        where AIPCall has "name"    
        | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall["count"])
        ) 
    // Select distinct attributes for further analysis
    | distinct
        AWSAlertTime,
        ActivityType,
        Severity,
        AWSAlertId,
        AWSAlertTitle,
        AWSAlertDescription,
        AWSAlertLink,
        Arn,
        AWSresourceType,
        AWSNetworkEntity,
        AWSAlertUserNameEntity,
        InstanceType,
        APICallName,
        APICallCount      
    );
// Materialize GCP Audit Logs related to VM instance creation
let GCPVMActivity= materialize(
    GCPAuditLogs 
    // Filter for Compute Engine instances insertions
    | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
    // Extract and transform relevant GCP Audit Log attributes
    | extend
        GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
        GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
        GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
        VMDetails= parse_json(AuthorizationInfo),
        VMStatus =  tostring(parse_json(Response).status),
        VMOperation=tostring(parse_json(Response).operationType),
        VMName= tostring(parse_json(Request).name),
        VMDescription= tostring(parse_json(Request).description),
        VMType = tostring(split(parse_json(Request).machineType, "/")[-1]),
        Tags= tostring(parse_json(Request).tags),
        RequestJS = parse_json(Request)
    // Filter out service account-related activities and private IP addresses
    | where GCPUserUPN !has "gserviceaccount.com"
    | extend Name = tostring(split(GCPUserUPN, "@")[0]), UPNSuffix = tostring(split(GCPUserUPN, "@")[1])
    | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
    // Select relevant attributes for further analysis
    | project
        GCPOperationTime=TimeGenerated,
        VMName,
        VMStatus,
        MethodName,
        GCPUserUPN,
        ProjectId,
        GCPUserIp,
        GCPUserUA,
        VMOperation,
        VMType,
        Name,
        UPNSuffix
    );
// Join AWS and GCP activities based on matching IP addresses
AwsAlert
| join kind= inner (GCPVMActivity)
    on
    $left.AWSNetworkEntity == $right.GCPUserIp
kind: Scheduled
relevantTechniques:
- T1566
- T1059
- T1078
- T1547
- T1548
- T1069
- T1552
description: |
    'This detection  identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.'
queryPeriod: 1d
queryFrequency: 1d
tactics:
- InitialAccess
- Execution
- Persistence
- PrivilegeEscalation
- CredentialAccess
- Discovery
- LateralMovement
name: Cross-Cloud Suspicious Compute resource creation in GCP
requiredDataConnectors:
- connectorId: GCPAuditLogsDefinition
  dataTypes:
  - GCPAuditLogs
- connectorId: AWSS3
  dataTypes:
  - AWSGuardDuty
customDetails:
  AWSInstanceType: InstanceType
  GCPVMName: VMName
  GCPProjectId: ProjectId
  GCPVMType: VMType
  CorrelationWith: GCPAuditLogs
  AWSAPICallName: APICallName
  AWSAPICallCount: APICallCount
  AWSAlertUserName: AWSAlertUserNameEntity
  GCPUserAgent: GCPUserUA
  AWSArn: Arn
  AWSresourceType: AWSresourceType
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: GCPUserIp
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: GCPUserUPN
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
triggerThreshold: 0
version: 1.0.2
id: 5c847e47-0a07-4c01-ab99-5817ad6cb11e
query: |
  // Materialize AWS GuardDuty findings
  let AwsAlert = materialize (
      AWSGuardDuty
      // Filter for specific activity types in AWS GuardDuty
      | where ActivityType has_any (
          "Backdoor:EC2/DenialOfService.UnusualProtocol",
          "CredentialAccess:Kubernetes/MaliciousIPCaller",
          "CredentialAccess:Kubernetes/SuccessfulAnonymousAccess",
          "CredentialAccess:Kubernetes/TorIPCaller",
          "CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce",
          "CredentialAccess:RDS/TorIPCaller.FailedLogin",
          "CredentialAccess:RDS/TorIPCaller.SuccessfulLogin",
          "Discovery:Kubernetes/MaliciousIPCaller",
          "Recon:IAMUser/MaliciousIPCaller.Custom",
          "UnauthorizedAccess:EC2/TorClient",
          "UnauthorizedAccess:IAMUser/TorIPCaller",
          "UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom",
          "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS",
          "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS",
          "UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B"
          )
      // Extract and transform AWS GuardDuty attributes
      | extend
          AWSAlertId = Id, 
          AWSAlertTitle = Title,
          AWSAlertDescription = Description,
          AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),
          AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),
          AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),
          InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),
          AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,
          AWSAlertTime = TimeCreated,
          AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=', Id)),
          Severity = 
          case (
      Severity >= 7.0,
      "High",
      Severity between (4.0 .. 6.9),
      "Medium",
      Severity between (1.0 .. 3.9),
      "Low",
      "Unknown"
  )
      // Extract API call details and count
      | mv-apply AIPCall = AWSTargetingService on 
          ( 
          where AIPCall has "name"    
          | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall["count"])
          ) 
      // Select distinct attributes for further analysis
      | distinct
          AWSAlertTime,
          ActivityType,
          Severity,
          AWSAlertId,
          AWSAlertTitle,
          AWSAlertDescription,
          AWSAlertLink,
          Arn,
          AWSresourceType,
          AWSNetworkEntity,
          AWSAlertUserNameEntity,
          InstanceType,
          APICallName,
          APICallCount      
      );
  // Materialize GCP Audit Logs related to VM instance creation
  let GCPVMActivity= materialize(
      GCPAuditLogs 
      // Filter for Compute Engine instances insertions
      | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
      // Extract and transform relevant GCP Audit Log attributes
      | extend
          GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
          GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
          GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
          VMDetails= parse_json(AuthorizationInfo),
          VMStatus =  tostring(parse_json(Response).status),
          VMOperation=tostring(parse_json(Response).operationType),
          VMName= tostring(parse_json(Request).name),
          VMDescription= tostring(parse_json(Request).description),
          VMType = tostring(split(parse_json(Request).machineType, "/")[-1]),
          Tags= tostring(parse_json(Request).tags),
          RequestJS = parse_json(Request)
      // Filter out service account-related activities and private IP addresses
      | where GCPUserUPN !has "gserviceaccount.com"
      | extend Name = tostring(split(GCPUserUPN, "@")[0]), UPNSuffix = tostring(split(GCPUserUPN, "@")[1])
      | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
      // Select relevant attributes for further analysis
      | project
          GCPOperationTime=TimeGenerated,
          VMName,
          VMStatus,
          MethodName,
          GCPUserUPN,
          ProjectId,
          GCPUserIp,
          GCPUserUA,
          VMOperation,
          VMType,
          Name,
          UPNSuffix
      );
  // Join AWS and GCP activities based on matching IP addresses
  AwsAlert
  | join kind= inner (GCPVMActivity)
      on
      $left.AWSNetworkEntity == $right.GCPUserIp  
alertDetailsOverride:
  alertSeverityColumnName: Severity
  alertDynamicProperties:
  - value: AWSAlertLink
    alertProperty: AlertLink
  - value: AWS
    alertProperty: ProviderName
  - value: AWSGuarduty
    alertProperty: ProductComponentName
  alertDisplayNameFormat: '{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}'
  alertDescriptionFormat: |2-
     This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' assocated with GCP compute activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.  

     AWS ALert Link : '{{AWSAlertLink}}' 

     Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/Cross-CloudSuspiciousComputeResourcecreationinGCP.yaml
severity: Low
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5c847e47-0a07-4c01-ab99-5817ad6cb11e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5c847e47-0a07-4c01-ab99-5817ad6cb11e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' assocated with GCP compute activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.  \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html",
          "alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "AWSAlertLink"
            },
            {
              "alertProperty": "ProviderName",
              "value": "AWS"
            },
            {
              "alertProperty": "ProductComponentName",
              "value": "AWSGuarduty"
            }
          ],
          "alertSeverityColumnName": "Severity"
        },
        "alertRuleTemplateName": "5c847e47-0a07-4c01-ab99-5817ad6cb11e",
        "customDetails": {
          "AWSAlertUserName": "AWSAlertUserNameEntity",
          "AWSAPICallCount": "APICallCount",
          "AWSAPICallName": "APICallName",
          "AWSArn": "Arn",
          "AWSInstanceType": "InstanceType",
          "AWSresourceType": "AWSresourceType",
          "CorrelationWith": "GCPAuditLogs",
          "GCPProjectId": "ProjectId",
          "GCPUserAgent": "GCPUserUA",
          "GCPVMName": "VMName",
          "GCPVMType": "VMType"
        },
        "description": "'This detection  identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.'\n",
        "displayName": "Cross-Cloud Suspicious Compute resource creation in GCP",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "GCPUserIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "GCPUserUPN",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/Cross-CloudSuspiciousComputeResourcecreationinGCP.yaml",
        "query": "// Materialize AWS GuardDuty findings\nlet AwsAlert = materialize (\n    AWSGuardDuty\n    // Filter for specific activity types in AWS GuardDuty\n    | where ActivityType has_any (\n        \"Backdoor:EC2/DenialOfService.UnusualProtocol\",\n        \"CredentialAccess:Kubernetes/MaliciousIPCaller\",\n        \"CredentialAccess:Kubernetes/SuccessfulAnonymousAccess\",\n        \"CredentialAccess:Kubernetes/TorIPCaller\",\n        \"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce\",\n        \"CredentialAccess:RDS/TorIPCaller.FailedLogin\",\n        \"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin\",\n        \"Discovery:Kubernetes/MaliciousIPCaller\",\n        \"Recon:IAMUser/MaliciousIPCaller.Custom\",\n        \"UnauthorizedAccess:EC2/TorClient\",\n        \"UnauthorizedAccess:IAMUser/TorIPCaller\",\n        \"UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom\",\n        \"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS\",\n        \"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS\",\n        \"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B\"\n        )\n    // Extract and transform AWS GuardDuty attributes\n    | extend\n        AWSAlertId = Id, \n        AWSAlertTitle = Title,\n        AWSAlertDescription = Description,\n        AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\n        AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),\n        AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),\n        InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),\n        AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,\n        AWSAlertTime = TimeCreated,\n        AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=', Id)),\n        Severity = \n        case (\n    Severity >= 7.0,\n    \"High\",\n    Severity between (4.0 .. 6.9),\n    \"Medium\",\n    Severity between (1.0 .. 3.9),\n    \"Low\",\n    \"Unknown\"\n)\n    // Extract API call details and count\n    | mv-apply AIPCall = AWSTargetingService on \n        ( \n        where AIPCall has \"name\"    \n        | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall[\"count\"])\n        ) \n    // Select distinct attributes for further analysis\n    | distinct\n        AWSAlertTime,\n        ActivityType,\n        Severity,\n        AWSAlertId,\n        AWSAlertTitle,\n        AWSAlertDescription,\n        AWSAlertLink,\n        Arn,\n        AWSresourceType,\n        AWSNetworkEntity,\n        AWSAlertUserNameEntity,\n        InstanceType,\n        APICallName,\n        APICallCount      \n    );\n// Materialize GCP Audit Logs related to VM instance creation\nlet GCPVMActivity= materialize(\n    GCPAuditLogs \n    // Filter for Compute Engine instances insertions\n    | where ServiceName == \"compute.googleapis.com\" and MethodName endswith \"instances.insert\"\n    // Extract and transform relevant GCP Audit Log attributes\n    | extend\n        GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\n        GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\n        GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\n        VMDetails= parse_json(AuthorizationInfo),\n        VMStatus =  tostring(parse_json(Response).status),\n        VMOperation=tostring(parse_json(Response).operationType),\n        VMName= tostring(parse_json(Request).name),\n        VMDescription= tostring(parse_json(Request).description),\n        VMType = tostring(split(parse_json(Request).machineType, \"/\")[-1]),\n        Tags= tostring(parse_json(Request).tags),\n        RequestJS = parse_json(Request)\n    // Filter out service account-related activities and private IP addresses\n    | where GCPUserUPN !has \"gserviceaccount.com\"\n    | extend Name = tostring(split(GCPUserUPN, \"@\")[0]), UPNSuffix = tostring(split(GCPUserUPN, \"@\")[1])\n    | where VMOperation == \"insert\" and isnotempty(GCPUserIp) and GCPUserIp != \"private\"\n    // Select relevant attributes for further analysis\n    | project\n        GCPOperationTime=TimeGenerated,\n        VMName,\n        VMStatus,\n        MethodName,\n        GCPUserUPN,\n        ProjectId,\n        GCPUserIp,\n        GCPUserUA,\n        VMOperation,\n        VMType,\n        Name,\n        UPNSuffix\n    );\n// Join AWS and GCP activities based on matching IP addresses\nAwsAlert\n| join kind= inner (GCPVMActivity)\n    on\n    $left.AWSNetworkEntity == $right.GCPUserIp\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery",
          "Execution",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1059",
          "T1069",
          "T1078",
          "T1547",
          "T1548",
          "T1552",
          "T1566"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}