Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

New CloudShell User

Back
Id6d7214d9-4a28-44df-aafb-0910b9e6ae3e
RulenameNew CloudShell User
DescriptionIdentifies when a user creates an Azure CloudShell for the first time.

Monitor this activity to ensure only the expected users are using CloudShell.
SeverityLow
TacticsExecution
TechniquesT1059
Required data connectorsAzureActivity
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/New-CloudShell-User.yaml
Version2.0.3
Arm template6d7214d9-4a28-44df-aafb-0910b9e6ae3e.json
Deploy To Azure
let match_window = 3m;
AzureActivity
| where ResourceGroup has "cloud-shell"
| where (OperationNameValue =~ "Microsoft.Storage/storageAccounts/listKeys/action")
| where ActivityStatusValue =~ "Success"
| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress
| join kind = inner
(AzureActivity
| where ResourceGroup has "cloud-shell"
| where (OperationNameValue =~ "Microsoft.Storage/storageAccounts/write")
| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress
) on Caller, TimeKey
| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)
| extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])
queryPeriod: 1d
version: 2.0.3
tactics:
- Execution
queryFrequency: 1d
id: 6d7214d9-4a28-44df-aafb-0910b9e6ae3e
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - AzureActivity
  connectorId: AzureActivity
severity: Low
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Caller
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: UserIP
    identifier: Address
triggerThreshold: 0
relevantTechniques:
- T1059
query: |
  let match_window = 3m;
  AzureActivity
  | where ResourceGroup has "cloud-shell"
  | where (OperationNameValue =~ "Microsoft.Storage/storageAccounts/listKeys/action")
  | where ActivityStatusValue =~ "Success"
  | extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress
  | join kind = inner
  (AzureActivity
  | where ResourceGroup has "cloud-shell"
  | where (OperationNameValue =~ "Microsoft.Storage/storageAccounts/write")
  | extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress
  ) on Caller, TimeKey
  | summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)
  | extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])  
kind: Scheduled
name: New CloudShell User
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/New-CloudShell-User.yaml
description: |
  'Identifies when a user creates an Azure CloudShell for the first time.
  Monitor this activity to ensure only the expected users are using CloudShell.'  
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6d7214d9-4a28-44df-aafb-0910b9e6ae3e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6d7214d9-4a28-44df-aafb-0910b9e6ae3e')]",
      "properties": {
        "alertRuleTemplateName": "6d7214d9-4a28-44df-aafb-0910b9e6ae3e",
        "customDetails": null,
        "description": "'Identifies when a user creates an Azure CloudShell for the first time.\nMonitor this activity to ensure only the expected users are using CloudShell.'\n",
        "displayName": "New CloudShell User",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Caller",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "UserIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/New-CloudShell-User.yaml",
        "query": "let match_window = 3m;\nAzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/listKeys/action\")\n| where ActivityStatusValue =~ \"Success\"\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\n| join kind = inner\n(AzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/write\")\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\n) on Caller, TimeKey\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)\n| extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1059"
        ],
        "templateVersion": "2.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}