Azure Machine Learning Write Operations
Id | 68c89998-8052-4c80-a1f6-9d81060b6d57 |
Rulename | Azure Machine Learning Write Operations |
Description | Shows the most prevalent users who perform write operations on Azure Machine Learning resources. List the common source IP address for each of those accounts. If an operation is not from those IP addresses, it may be worthy of investigation. |
Severity | Low |
Tactics | InitialAccess Execution Impact |
Techniques | T1078 T1059 T1496 |
Required data connectors | AzureActivity |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Machine_Learning_Creation.yaml |
Version | 1.0.0 |
Arm template | 68c89998-8052-4c80-a1f6-9d81060b6d57.json |
AzureActivity
| where ResourceProviderValue == "MICROSOFT.MACHINELEARNINGSERVICES" // Filter activities related to Microsoft Machine Learning Services
| extend SCOPE = tostring(parse_json(Authorization).scope) // Parse Authorization scope as string
| extend subname = split(Hierarchy, "/") // Split Hierarchy to extract Subscription Name and ID
| extend ['Subscription Name'] = subname[-2], ['Subscription ID'] = subname[-1] // Extract Subscription Name and ID
| extend Properties = parse_json(Properties) // Parse Properties as JSON
| extend Properties_entity = tostring(Properties.entity) // Cast Properties.entity to string
| where isnotempty(Properties_entity) // Filter activities where Properties.entity is not empty
// | where Properties_entity contains "deepseek" // Filter activities where Properties.entity contains "deepseek"
| where OperationNameValue contains "write" // Filter activities where OperationNameValue contains "write"
| where OperationNameValue !contains "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" // Exclude role assignments
| extend LLM = tostring(split(Properties_entity, "/")[-1]) // Extract the last segment of Properties_entity and cast it to string
| distinct TimeGenerated, tostring(['Subscription Name']), ResourceGroup, tostring(['Subscription ID']), Caller, CallerIpAddress, OperationNameValue, LLM, _ResourceId // Select distinct relevant fields for output
status: Available
id: 68c89998-8052-4c80-a1f6-9d81060b6d57
query: |
AzureActivity
| where ResourceProviderValue == "MICROSOFT.MACHINELEARNINGSERVICES" // Filter activities related to Microsoft Machine Learning Services
| extend SCOPE = tostring(parse_json(Authorization).scope) // Parse Authorization scope as string
| extend subname = split(Hierarchy, "/") // Split Hierarchy to extract Subscription Name and ID
| extend ['Subscription Name'] = subname[-2], ['Subscription ID'] = subname[-1] // Extract Subscription Name and ID
| extend Properties = parse_json(Properties) // Parse Properties as JSON
| extend Properties_entity = tostring(Properties.entity) // Cast Properties.entity to string
| where isnotempty(Properties_entity) // Filter activities where Properties.entity is not empty
// | where Properties_entity contains "deepseek" // Filter activities where Properties.entity contains "deepseek"
| where OperationNameValue contains "write" // Filter activities where OperationNameValue contains "write"
| where OperationNameValue !contains "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE" // Exclude role assignments
| extend LLM = tostring(split(Properties_entity, "/")[-1]) // Extract the last segment of Properties_entity and cast it to string
| distinct TimeGenerated, tostring(['Subscription Name']), ResourceGroup, tostring(['Subscription ID']), Caller, CallerIpAddress, OperationNameValue, LLM, _ResourceId // Select distinct relevant fields for output
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Machine_Learning_Creation.yaml
description: |
'Shows the most prevalent users who perform write operations on Azure Machine Learning resources. List the common source IP address for each of those accounts. If an operation is not from those IP addresses, it may be worthy of investigation.'
name: Azure Machine Learning Write Operations
relevantTechniques:
- T1078
- T1059
- T1496
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Caller
- entityType: IP
fieldMappings:
- identifier: Address
columnName: CallerIpAddress
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: _ResourceId
triggerThreshold: 0
severity: Low
requiredDataConnectors:
- dataTypes:
- AzureActivity
connectorId: AzureActivity
eventGroupingSettings:
aggregationKind: SingleAlert
queryFrequency: 1d
queryPeriod: 1d
version: 1.0.0
kind: Scheduled
tactics:
- InitialAccess
- Execution
- Impact
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/68c89998-8052-4c80-a1f6-9d81060b6d57')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/68c89998-8052-4c80-a1f6-9d81060b6d57')]",
"properties": {
"alertRuleTemplateName": "68c89998-8052-4c80-a1f6-9d81060b6d57",
"customDetails": null,
"description": "'Shows the most prevalent users who perform write operations on Azure Machine Learning resources. List the common source IP address for each of those accounts. If an operation is not from those IP addresses, it may be worthy of investigation.'\n",
"displayName": "Azure Machine Learning Write Operations",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Caller",
"identifier": "Name"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "CallerIpAddress",
"identifier": "Address"
}
]
},
{
"entityType": "AzureResource",
"fieldMappings": [
{
"columnName": "_ResourceId",
"identifier": "ResourceId"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Machine_Learning_Creation.yaml",
"query": "AzureActivity\n| where ResourceProviderValue == \"MICROSOFT.MACHINELEARNINGSERVICES\" // Filter activities related to Microsoft Machine Learning Services\n| extend SCOPE = tostring(parse_json(Authorization).scope) // Parse Authorization scope as string\n| extend subname = split(Hierarchy, \"/\") // Split Hierarchy to extract Subscription Name and ID\n| extend ['Subscription Name'] = subname[-2], ['Subscription ID'] = subname[-1] // Extract Subscription Name and ID\n| extend Properties = parse_json(Properties) // Parse Properties as JSON\n| extend Properties_entity = tostring(Properties.entity) // Cast Properties.entity to string\n| where isnotempty(Properties_entity) // Filter activities where Properties.entity is not empty\n// | where Properties_entity contains \"deepseek\" // Filter activities where Properties.entity contains \"deepseek\"\n| where OperationNameValue contains \"write\" // Filter activities where OperationNameValue contains \"write\"\n| where OperationNameValue !contains \"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE\" // Exclude role assignments\n| extend LLM = tostring(split(Properties_entity, \"/\")[-1]) // Extract the last segment of Properties_entity and cast it to string\n| distinct TimeGenerated, tostring(['Subscription Name']), ResourceGroup, tostring(['Subscription ID']), Caller, CallerIpAddress, OperationNameValue, LLM, _ResourceId // Select distinct relevant fields for output\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Low",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution",
"Impact",
"InitialAccess"
],
"techniques": [
"T1059",
"T1078",
"T1496"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}