Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cross-Cloud Suspicious Compute resource creation in GCP

Back
Id5c847e47-0a07-4c01-ab99-5817ad6cb11e
RulenameCross-Cloud Suspicious Compute resource creation in GCP
Description

This detection identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.
SeverityLow
TacticsInitialAccess
Execution
Persistence
PrivilegeEscalation
CredentialAccess
Discovery
LateralMovement
TechniquesT1566
T1059
T1078
T1547
T1548
T1069
T1552
Required data connectorsAWSS3
GCPAuditLogsDefinition
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/Cross-CloudSuspiciousComputeResourcecreationinGCP.yaml
Version1.0.0
Arm template5c847e47-0a07-4c01-ab99-5817ad6cb11e.json
Deploy To Azure
// Materialize AWS GuardDuty findings
let AwsAlert = materialize (
    AWSGuardDuty
    // Filter for specific activity types in AWS GuardDuty
    | where ActivityType has_any (
        "Backdoor:EC2/DenialOfService.UnusualProtocol",
        "CredentialAccess:Kubernetes/MaliciousIPCaller",
        "CredentialAccess:Kubernetes/SuccessfulAnonymousAccess",
        "CredentialAccess:Kubernetes/TorIPCaller",
        "CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce",
        "CredentialAccess:RDS/TorIPCaller.FailedLogin",
        "CredentialAccess:RDS/TorIPCaller.SuccessfulLogin",
        "Discovery:Kubernetes/MaliciousIPCaller",
        "Recon:IAMUser/MaliciousIPCaller.Custom",
        "UnauthorizedAccess:EC2/TorClient",
        "UnauthorizedAccess:IAMUser/TorIPCaller",
        "UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom",
        "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS",
        "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS",
        "UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B"
        )
    // Extract and transform AWS GuardDuty attributes
    | extend
        AWSAlertId = Id, 
        AWSAlertTitle = Title,
        AWSAlertDescription = Description,
        AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),
        AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),
        AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),
        InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),
        AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,
        AWSAlertTime = TimeCreated,
        AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=', Id)),
        Severity = 
        case (
    Severity >= 7.0,
    "High",
    Severity between (4.0 .. 6.9),
    "Medium",
    Severity between (1.0 .. 3.9),
    "Low",
    "Unknown"
)
    // Extract API call details and count
    | mv-apply AIPCall = AWSTargetingService on 
        ( 
        where AIPCall has "name"    
        | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall["count"])
        ) 
    // Select distinct attributes for further analysis
    | distinct
        AWSAlertTime,
        ActivityType,
        Severity,
        AWSAlertId,
        AWSAlertTitle,
        AWSAlertDescription,
        AWSAlertLink,
        Arn,
        AWSresourceType,
        AWSNetworkEntity,
        AWSAlertUserNameEntity,
        InstanceType,
        APICallName,
        APICallCount      
    );
// Materialize GCP Audit Logs related to VM instance creation
let GCPVMActivity= materialize(
    GCPAuditLogs 
    // Filter for Compute Engine instances insertions
    | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
    // Extract and transform relevant GCP Audit Log attributes
    | extend
        GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
        GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
        GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
        VMDetails= parse_json(AuthorizationInfo),
        VMStatus =  tostring(parse_json(Response).status),
        VMOperation=tostring(parse_json(Response).operationType),
        VMName= tostring(parse_json(Request).name),
        VMDescription= tostring(parse_json(Request).description),
        VMType = tostring(split(parse_json(Request).machineType, "/")[-1]),
        Tags= tostring(parse_json(Request).tags),
        RequestJS = parse_json(Request)
    // Filter out service account-related activities and private IP addresses
    | where GCPUserUPN !has "gserviceaccount.com"
    | extend Name = tostring(split(GCPUserUPN, "@")[0]), UPNSuffix = tostring(split(GCPUserUPN, "@")[1])
    | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
    // Select relevant attributes for further analysis
    | project
        GCPOperationTime=TimeGenerated,
        VMName,
        VMStatus,
        MethodName,
        GCPUserUPN,
        ProjectId,
        GCPUserIp,
        GCPUserUA,
        VMOperation,
        VMType,
        Name,
        UPNSuffix
    );
// Join AWS and GCP activities based on matching IP addresses
AwsAlert
| join kind= inner (GCPVMActivity)
    on
    $left.AWSNetworkEntity == $right.GCPUserIp
customDetails:
  GCPProjectId: ProjectId
  AWSAlertUserName: AWSAlertUserNameEntity
  AWSInstanceType: InstanceType
  AWSArn: Arn
  GCPVMType: VMType
  GCPVMName: VMName
  AWSAPICallCount: APICallCount
  GCPUserAgent: GCPUserUA
  AWSAPICallName: APICallName
  CorrelationWith: GCPAuditLogs
  AWSresourceType: AWSresourceType
alertDetailsOverride:
  alertDynamicProperties:
  - value: AWSAlertLink
    alertProperty: AlertLink
  - value: AWS
    alertProperty: ProviderName
  - value: AWSGuarduty
    alertProperty: ProductComponentName
  alertDisplayNameFormat: '{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}'
  alertSeverityColumnName: Severity
  alertDescriptionFormat: |2-
     This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' assocated with GCP compute activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.  

     AWS ALert Link : '{{AWSAlertLink}}' 

     Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html
triggerThreshold: 0
relevantTechniques:
- T1566
- T1059
- T1078
- T1547
- T1548
- T1069
- T1552
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/Cross-CloudSuspiciousComputeResourcecreationinGCP.yaml
requiredDataConnectors:
- dataTypes:
  - GCPAuditLogs
  connectorId: GCPAuditLogsDefinition
- dataTypes:
  - AWSGuardDuty
  connectorId: AWSS3
queryPeriod: 1d
tactics:
- InitialAccess
- Execution
- Persistence
- PrivilegeEscalation
- CredentialAccess
- Discovery
- LateralMovement
severity: Low
triggerOperator: gt
description: |
  '
  This detection  identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.
  '  
query: |
  // Materialize AWS GuardDuty findings
  let AwsAlert = materialize (
      AWSGuardDuty
      // Filter for specific activity types in AWS GuardDuty
      | where ActivityType has_any (
          "Backdoor:EC2/DenialOfService.UnusualProtocol",
          "CredentialAccess:Kubernetes/MaliciousIPCaller",
          "CredentialAccess:Kubernetes/SuccessfulAnonymousAccess",
          "CredentialAccess:Kubernetes/TorIPCaller",
          "CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce",
          "CredentialAccess:RDS/TorIPCaller.FailedLogin",
          "CredentialAccess:RDS/TorIPCaller.SuccessfulLogin",
          "Discovery:Kubernetes/MaliciousIPCaller",
          "Recon:IAMUser/MaliciousIPCaller.Custom",
          "UnauthorizedAccess:EC2/TorClient",
          "UnauthorizedAccess:IAMUser/TorIPCaller",
          "UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom",
          "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS",
          "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS",
          "UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B"
          )
      // Extract and transform AWS GuardDuty attributes
      | extend
          AWSAlertId = Id, 
          AWSAlertTitle = Title,
          AWSAlertDescription = Description,
          AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),
          AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),
          AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),
          InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),
          AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,
          AWSAlertTime = TimeCreated,
          AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=', Id)),
          Severity = 
          case (
      Severity >= 7.0,
      "High",
      Severity between (4.0 .. 6.9),
      "Medium",
      Severity between (1.0 .. 3.9),
      "Low",
      "Unknown"
  )
      // Extract API call details and count
      | mv-apply AIPCall = AWSTargetingService on 
          ( 
          where AIPCall has "name"    
          | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall["count"])
          ) 
      // Select distinct attributes for further analysis
      | distinct
          AWSAlertTime,
          ActivityType,
          Severity,
          AWSAlertId,
          AWSAlertTitle,
          AWSAlertDescription,
          AWSAlertLink,
          Arn,
          AWSresourceType,
          AWSNetworkEntity,
          AWSAlertUserNameEntity,
          InstanceType,
          APICallName,
          APICallCount      
      );
  // Materialize GCP Audit Logs related to VM instance creation
  let GCPVMActivity= materialize(
      GCPAuditLogs 
      // Filter for Compute Engine instances insertions
      | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
      // Extract and transform relevant GCP Audit Log attributes
      | extend
          GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
          GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
          GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
          VMDetails= parse_json(AuthorizationInfo),
          VMStatus =  tostring(parse_json(Response).status),
          VMOperation=tostring(parse_json(Response).operationType),
          VMName= tostring(parse_json(Request).name),
          VMDescription= tostring(parse_json(Request).description),
          VMType = tostring(split(parse_json(Request).machineType, "/")[-1]),
          Tags= tostring(parse_json(Request).tags),
          RequestJS = parse_json(Request)
      // Filter out service account-related activities and private IP addresses
      | where GCPUserUPN !has "gserviceaccount.com"
      | extend Name = tostring(split(GCPUserUPN, "@")[0]), UPNSuffix = tostring(split(GCPUserUPN, "@")[1])
      | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
      // Select relevant attributes for further analysis
      | project
          GCPOperationTime=TimeGenerated,
          VMName,
          VMStatus,
          MethodName,
          GCPUserUPN,
          ProjectId,
          GCPUserIp,
          GCPUserUA,
          VMOperation,
          VMType,
          Name,
          UPNSuffix
      );
  // Join AWS and GCP activities based on matching IP addresses
  AwsAlert
  | join kind= inner (GCPVMActivity)
      on
      $left.AWSNetworkEntity == $right.GCPUserIp  
name: Cross-Cloud Suspicious Compute resource creation in GCP
version: 1.0.0
kind: Scheduled
id: 5c847e47-0a07-4c01-ab99-5817ad6cb11e
queryFrequency: 1d
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: GCPUserIp
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5c847e47-0a07-4c01-ab99-5817ad6cb11e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5c847e47-0a07-4c01-ab99-5817ad6cb11e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' assocated with GCP compute activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.  \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html",
          "alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "AWSAlertLink"
            },
            {
              "alertProperty": "ProviderName",
              "value": "AWS"
            },
            {
              "alertProperty": "ProductComponentName",
              "value": "AWSGuarduty"
            }
          ],
          "alertSeverityColumnName": "Severity"
        },
        "alertRuleTemplateName": "5c847e47-0a07-4c01-ab99-5817ad6cb11e",
        "customDetails": {
          "AWSAlertUserName": "AWSAlertUserNameEntity",
          "AWSAPICallCount": "APICallCount",
          "AWSAPICallName": "APICallName",
          "AWSArn": "Arn",
          "AWSInstanceType": "InstanceType",
          "AWSresourceType": "AWSresourceType",
          "CorrelationWith": "GCPAuditLogs",
          "GCPProjectId": "ProjectId",
          "GCPUserAgent": "GCPUserUA",
          "GCPVMName": "VMName",
          "GCPVMType": "VMType"
        },
        "description": "'\nThis detection  identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.\n'\n",
        "displayName": "Cross-Cloud Suspicious Compute resource creation in GCP",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "GCPUserIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/Cross-CloudSuspiciousComputeResourcecreationinGCP.yaml",
        "query": "// Materialize AWS GuardDuty findings\nlet AwsAlert = materialize (\n    AWSGuardDuty\n    // Filter for specific activity types in AWS GuardDuty\n    | where ActivityType has_any (\n        \"Backdoor:EC2/DenialOfService.UnusualProtocol\",\n        \"CredentialAccess:Kubernetes/MaliciousIPCaller\",\n        \"CredentialAccess:Kubernetes/SuccessfulAnonymousAccess\",\n        \"CredentialAccess:Kubernetes/TorIPCaller\",\n        \"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce\",\n        \"CredentialAccess:RDS/TorIPCaller.FailedLogin\",\n        \"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin\",\n        \"Discovery:Kubernetes/MaliciousIPCaller\",\n        \"Recon:IAMUser/MaliciousIPCaller.Custom\",\n        \"UnauthorizedAccess:EC2/TorClient\",\n        \"UnauthorizedAccess:IAMUser/TorIPCaller\",\n        \"UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom\",\n        \"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS\",\n        \"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS\",\n        \"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B\"\n        )\n    // Extract and transform AWS GuardDuty attributes\n    | extend\n        AWSAlertId = Id, \n        AWSAlertTitle = Title,\n        AWSAlertDescription = Description,\n        AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\n        AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),\n        AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),\n        InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),\n        AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,\n        AWSAlertTime = TimeCreated,\n        AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=', Id)),\n        Severity = \n        case (\n    Severity >= 7.0,\n    \"High\",\n    Severity between (4.0 .. 6.9),\n    \"Medium\",\n    Severity between (1.0 .. 3.9),\n    \"Low\",\n    \"Unknown\"\n)\n    // Extract API call details and count\n    | mv-apply AIPCall = AWSTargetingService on \n        ( \n        where AIPCall has \"name\"    \n        | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall[\"count\"])\n        ) \n    // Select distinct attributes for further analysis\n    | distinct\n        AWSAlertTime,\n        ActivityType,\n        Severity,\n        AWSAlertId,\n        AWSAlertTitle,\n        AWSAlertDescription,\n        AWSAlertLink,\n        Arn,\n        AWSresourceType,\n        AWSNetworkEntity,\n        AWSAlertUserNameEntity,\n        InstanceType,\n        APICallName,\n        APICallCount      \n    );\n// Materialize GCP Audit Logs related to VM instance creation\nlet GCPVMActivity= materialize(\n    GCPAuditLogs \n    // Filter for Compute Engine instances insertions\n    | where ServiceName == \"compute.googleapis.com\" and MethodName endswith \"instances.insert\"\n    // Extract and transform relevant GCP Audit Log attributes\n    | extend\n        GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\n        GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\n        GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\n        VMDetails= parse_json(AuthorizationInfo),\n        VMStatus =  tostring(parse_json(Response).status),\n        VMOperation=tostring(parse_json(Response).operationType),\n        VMName= tostring(parse_json(Request).name),\n        VMDescription= tostring(parse_json(Request).description),\n        VMType = tostring(split(parse_json(Request).machineType, \"/\")[-1]),\n        Tags= tostring(parse_json(Request).tags),\n        RequestJS = parse_json(Request)\n    // Filter out service account-related activities and private IP addresses\n    | where GCPUserUPN !has \"gserviceaccount.com\"\n    | extend Name = tostring(split(GCPUserUPN, \"@\")[0]), UPNSuffix = tostring(split(GCPUserUPN, \"@\")[1])\n    | where VMOperation == \"insert\" and isnotempty(GCPUserIp) and GCPUserIp != \"private\"\n    // Select relevant attributes for further analysis\n    | project\n        GCPOperationTime=TimeGenerated,\n        VMName,\n        VMStatus,\n        MethodName,\n        GCPUserUPN,\n        ProjectId,\n        GCPUserIp,\n        GCPUserUA,\n        VMOperation,\n        VMType,\n        Name,\n        UPNSuffix\n    );\n// Join AWS and GCP activities based on matching IP addresses\nAwsAlert\n| join kind= inner (GCPVMActivity)\n    on\n    $left.AWSNetworkEntity == $right.GCPUserIp\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery",
          "Execution",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1059",
          "T1069",
          "T1078",
          "T1547",
          "T1548",
          "T1552",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}