Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Azure Machine Learning Write Operations

Azure Machine Learning Write Operations

Back
Id68c89998-8052-4c80-a1f6-9d81060b6d57
RulenameAzure Machine Learning Write Operations
DescriptionShows the most prevalent users who perform write operations on Azure Machine Learning resources. List the common source IP address for each of those accounts. If an operation is not from those IP addresses, it may be worthy of investigation.
SeverityLow
TacticsInitialAccess
Execution
Impact
TechniquesT1078
T1059
T1496
Required data connectorsAzureActivity
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Machine_Learning_Creation.yaml
Version1.0.0
Arm template68c89998-8052-4c80-a1f6-9d81060b6d57.json
Deploy To Azure
AzureActivity
| where ResourceProviderValue == "MICROSOFT.MACHINELEARNINGSERVICES"  // Filter activities related to Microsoft Machine Learning Services
| extend SCOPE = tostring(parse_json(Authorization).scope)  // Parse Authorization scope as string
| extend subname = split(Hierarchy, "/")  // Split Hierarchy to extract Subscription Name and ID
| extend ['Subscription Name'] = subname[-2], ['Subscription ID'] = subname[-1]  // Extract Subscription Name and ID
| extend Properties = parse_json(Properties)  // Parse Properties as JSON
| extend Properties_entity = tostring(Properties.entity)  // Cast Properties.entity to string
| where isnotempty(Properties_entity)  // Filter activities where Properties.entity is not empty
// | where Properties_entity contains "deepseek"  // Filter activities where Properties.entity contains "deepseek"
| where OperationNameValue contains "write"  // Filter activities where OperationNameValue contains "write"
| where OperationNameValue !contains "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"  // Exclude role assignments
| extend LLM = tostring(split(Properties_entity, "/")[-1])  // Extract the last segment of Properties_entity and cast it to string
| distinct TimeGenerated, tostring(['Subscription Name']), ResourceGroup, tostring(['Subscription ID']), Caller, CallerIpAddress, OperationNameValue, LLM, _ResourceId  // Select distinct relevant fields for output

severity: Low
queryFrequency: 1d
query: |
  AzureActivity
  | where ResourceProviderValue == "MICROSOFT.MACHINELEARNINGSERVICES"  // Filter activities related to Microsoft Machine Learning Services
  | extend SCOPE = tostring(parse_json(Authorization).scope)  // Parse Authorization scope as string
  | extend subname = split(Hierarchy, "/")  // Split Hierarchy to extract Subscription Name and ID
  | extend ['Subscription Name'] = subname[-2], ['Subscription ID'] = subname[-1]  // Extract Subscription Name and ID
  | extend Properties = parse_json(Properties)  // Parse Properties as JSON
  | extend Properties_entity = tostring(Properties.entity)  // Cast Properties.entity to string
  | where isnotempty(Properties_entity)  // Filter activities where Properties.entity is not empty
  // | where Properties_entity contains "deepseek"  // Filter activities where Properties.entity contains "deepseek"
  | where OperationNameValue contains "write"  // Filter activities where OperationNameValue contains "write"
  | where OperationNameValue !contains "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"  // Exclude role assignments
  | extend LLM = tostring(split(Properties_entity, "/")[-1])  // Extract the last segment of Properties_entity and cast it to string
  | distinct TimeGenerated, tostring(['Subscription Name']), ResourceGroup, tostring(['Subscription ID']), Caller, CallerIpAddress, OperationNameValue, LLM, _ResourceId  // Select distinct relevant fields for output  
eventGroupingSettings:
  aggregationKind: SingleAlert
requiredDataConnectors:
- connectorId: AzureActivity
  dataTypes:
  - AzureActivity
description: |
    'Shows the most prevalent users who perform write operations on Azure Machine Learning resources. List the common source IP address for each of those accounts. If an operation is not from those IP addresses, it may be worthy of investigation.'
relevantTechniques:
- T1078
- T1059
- T1496
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: Caller
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: CallerIpAddress
  entityType: IP
- fieldMappings:
  - identifier: ResourceId
    columnName: _ResourceId
  entityType: AzureResource
triggerThreshold: 0
queryPeriod: 1d
tactics:
- InitialAccess
- Execution
- Impact
status: Available
id: 68c89998-8052-4c80-a1f6-9d81060b6d57
version: 1.0.0
name: Azure Machine Learning Write Operations
kind: Scheduled
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Machine_Learning_Creation.yaml

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/68c89998-8052-4c80-a1f6-9d81060b6d57')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/68c89998-8052-4c80-a1f6-9d81060b6d57')]",
      "properties": {
        "alertRuleTemplateName": "68c89998-8052-4c80-a1f6-9d81060b6d57",
        "customDetails": null,
        "description": "'Shows the most prevalent users who perform write operations on Azure Machine Learning resources. List the common source IP address for each of those accounts. If an operation is not from those IP addresses, it may be worthy of investigation.'\n",
        "displayName": "Azure Machine Learning Write Operations",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Caller",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "CallerIpAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "_ResourceId",
                "identifier": "ResourceId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Machine_Learning_Creation.yaml",
        "query": "AzureActivity\n| where ResourceProviderValue == \"MICROSOFT.MACHINELEARNINGSERVICES\"  // Filter activities related to Microsoft Machine Learning Services\n| extend SCOPE = tostring(parse_json(Authorization).scope)  // Parse Authorization scope as string\n| extend subname = split(Hierarchy, \"/\")  // Split Hierarchy to extract Subscription Name and ID\n| extend ['Subscription Name'] = subname[-2], ['Subscription ID'] = subname[-1]  // Extract Subscription Name and ID\n| extend Properties = parse_json(Properties)  // Parse Properties as JSON\n| extend Properties_entity = tostring(Properties.entity)  // Cast Properties.entity to string\n| where isnotempty(Properties_entity)  // Filter activities where Properties.entity is not empty\n// | where Properties_entity contains \"deepseek\"  // Filter activities where Properties.entity contains \"deepseek\"\n| where OperationNameValue contains \"write\"  // Filter activities where OperationNameValue contains \"write\"\n| where OperationNameValue !contains \"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE\"  // Exclude role assignments\n| extend LLM = tostring(split(Properties_entity, \"/\")[-1])  // Extract the last segment of Properties_entity and cast it to string\n| distinct TimeGenerated, tostring(['Subscription Name']), ResourceGroup, tostring(['Subscription ID']), Caller, CallerIpAddress, OperationNameValue, LLM, _ResourceId  // Select distinct relevant fields for output\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "Impact",
          "InitialAccess"
        ],
        "techniques": [
          "T1059",
          "T1078",
          "T1496"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}