Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

New CloudShell User

Back
Id6d7214d9-4a28-44df-aafb-0910b9e6ae3e
RulenameNew CloudShell User
DescriptionIdentifies when a user creates an Azure CloudShell for the first time.

Monitor this activity to ensure only expected user are using CloudShell
SeverityLow
TacticsExecution
TechniquesT1059
Required data connectorsAzureActivity
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/New-CloudShell-User.yaml
Version2.0.1
Arm template6d7214d9-4a28-44df-aafb-0910b9e6ae3e.json
Deploy To Azure
let match_window = 3m;
AzureActivity
| where ResourceGroup has "cloud-shell"
| where (OperationNameValue =~ "Microsoft.Storage/storageAccounts/listKeys/action")
| where ActivityStatusValue == "Success"
| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress
| join kind = inner
(AzureActivity
| where ResourceGroup has "cloud-shell"
| where (OperationNameValue =~ "Microsoft.Storage/storageAccounts/write")
| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress
) on Caller, TimeKey
| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)
queryFrequency: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Caller
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: UserIP
    identifier: Address
severity: Low
triggerThreshold: 0
relevantTechniques:
- T1059
query: |
  let match_window = 3m;
  AzureActivity
  | where ResourceGroup has "cloud-shell"
  | where (OperationNameValue =~ "Microsoft.Storage/storageAccounts/listKeys/action")
  | where ActivityStatusValue == "Success"
  | extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress
  | join kind = inner
  (AzureActivity
  | where ResourceGroup has "cloud-shell"
  | where (OperationNameValue =~ "Microsoft.Storage/storageAccounts/write")
  | extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress
  ) on Caller, TimeKey
  | summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)  
id: 6d7214d9-4a28-44df-aafb-0910b9e6ae3e
triggerOperator: gt
version: 2.0.1
requiredDataConnectors:
- connectorId: AzureActivity
  dataTypes:
  - AzureActivity
description: |
  'Identifies when a user creates an Azure CloudShell for the first time.
  Monitor this activity to ensure only expected user are using CloudShell'  
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/New-CloudShell-User.yaml
status: Available
name: New CloudShell User
tactics:
- Execution
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6d7214d9-4a28-44df-aafb-0910b9e6ae3e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6d7214d9-4a28-44df-aafb-0910b9e6ae3e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "New CloudShell User",
        "description": "'Identifies when a user creates an Azure CloudShell for the first time.\nMonitor this activity to ensure only expected user are using CloudShell'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let match_window = 3m;\nAzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/listKeys/action\")\n| where ActivityStatusValue == \"Success\"\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\n| join kind = inner\n(AzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/write\")\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\n) on Caller, TimeKey\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1059"
        ],
        "alertRuleTemplateName": "6d7214d9-4a28-44df-aafb-0910b9e6ae3e",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "Caller"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "UserIP"
              }
            ]
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/New-CloudShell-User.yaml",
        "templateVersion": "2.0.1"
      }
    }
  ]
}