Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

New CloudShell User

Back
Id6d7214d9-4a28-44df-aafb-0910b9e6ae3e
RulenameNew CloudShell User
DescriptionIdentifies when a user creates an Azure CloudShell for the first time.

Monitor this activity to ensure only the expected users are using CloudShell.
SeverityLow
TacticsExecution
TechniquesT1059
Required data connectorsAzureActivity
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/New-CloudShell-User.yaml
Version2.0.3
Arm template6d7214d9-4a28-44df-aafb-0910b9e6ae3e.json
Deploy To Azure
let match_window = 3m;
AzureActivity
| where ResourceGroup has "cloud-shell"
| where (OperationNameValue =~ "Microsoft.Storage/storageAccounts/listKeys/action")
| where ActivityStatusValue =~ "Success"
| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress
| join kind = inner
(AzureActivity
| where ResourceGroup has "cloud-shell"
| where (OperationNameValue =~ "Microsoft.Storage/storageAccounts/write")
| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress
) on Caller, TimeKey
| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)
| extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])
name: New CloudShell User
status: Available
triggerThreshold: 0
severity: Low
tactics:
- Execution
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/New-CloudShell-User.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Caller
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: UserIP
    identifier: Address
queryPeriod: 1d
queryFrequency: 1d
version: 2.0.3
triggerOperator: gt
description: |
  'Identifies when a user creates an Azure CloudShell for the first time.
  Monitor this activity to ensure only the expected users are using CloudShell.'  
query: |
  let match_window = 3m;
  AzureActivity
  | where ResourceGroup has "cloud-shell"
  | where (OperationNameValue =~ "Microsoft.Storage/storageAccounts/listKeys/action")
  | where ActivityStatusValue =~ "Success"
  | extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress
  | join kind = inner
  (AzureActivity
  | where ResourceGroup has "cloud-shell"
  | where (OperationNameValue =~ "Microsoft.Storage/storageAccounts/write")
  | extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress
  ) on Caller, TimeKey
  | summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)
  | extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])  
relevantTechniques:
- T1059
id: 6d7214d9-4a28-44df-aafb-0910b9e6ae3e
requiredDataConnectors:
- dataTypes:
  - AzureActivity
  connectorId: AzureActivity
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6d7214d9-4a28-44df-aafb-0910b9e6ae3e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6d7214d9-4a28-44df-aafb-0910b9e6ae3e')]",
      "properties": {
        "alertRuleTemplateName": "6d7214d9-4a28-44df-aafb-0910b9e6ae3e",
        "customDetails": null,
        "description": "'Identifies when a user creates an Azure CloudShell for the first time.\nMonitor this activity to ensure only the expected users are using CloudShell.'\n",
        "displayName": "New CloudShell User",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Caller",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "UserIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/New-CloudShell-User.yaml",
        "query": "let match_window = 3m;\nAzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/listKeys/action\")\n| where ActivityStatusValue =~ \"Success\"\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\n| join kind = inner\n(AzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/write\")\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\n) on Caller, TimeKey\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)\n| extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1059"
        ],
        "templateVersion": "2.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}