Creation of expensive computes in Azure
| Id | 9736e5f1-7b6e-4bfb-a708-e53ff1d182c3 |
| Rulename | Creation of expensive computes in Azure |
| Description | Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure. An adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes. For Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes Azure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions |
| Severity | Low |
| Tactics | DefenseEvasion |
| Techniques | T1578 |
| Required data connectors | AzureActivity |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 1 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Creation_of_Expensive_Computes_in_Azure.yaml |
| Version | 2.0.3 |
| Arm template | 9736e5f1-7b6e-4bfb-a708-e53ff1d182c3.json |
let tokens = dynamic(["416","208","192","128","120","96","80","72","64","48","44","40","nc12","nc24","nv24"]);
let operationList = dynamic(["microsoft.compute/virtualmachines/write", "microsoft.resources/deployments/write"]);
AzureActivity
| where OperationNameValue in~ (operationList)
| where ActivityStatusValue startswith "Accept"
| where Properties has 'vmSize'
| extend parsed_property= parse_json(tostring((parse_json(Properties).responseBody))).properties
| extend vmSize = tostring((parsed_property.hardwareProfile).vmSize)
| mv-apply token=tokens to typeof(string) on (where vmSize contains token)
| extend ComputerName = tostring((parsed_property.osProfile).computerName)
| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize
| extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])
description: |
'Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure.
An adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes.
For Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes
Azure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions'
kind: Scheduled
tactics:
- DefenseEvasion
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Creation_of_Expensive_Computes_in_Azure.yaml
severity: Low
name: Creation of expensive computes in Azure
triggerThreshold: 1
queryPeriod: 1d
query: |
let tokens = dynamic(["416","208","192","128","120","96","80","72","64","48","44","40","nc12","nc24","nv24"]);
let operationList = dynamic(["microsoft.compute/virtualmachines/write", "microsoft.resources/deployments/write"]);
AzureActivity
| where OperationNameValue in~ (operationList)
| where ActivityStatusValue startswith "Accept"
| where Properties has 'vmSize'
| extend parsed_property= parse_json(tostring((parse_json(Properties).responseBody))).properties
| extend vmSize = tostring((parsed_property.hardwareProfile).vmSize)
| mv-apply token=tokens to typeof(string) on (where vmSize contains token)
| extend ComputerName = tostring((parsed_property.osProfile).computerName)
| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize
| extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])
relevantTechniques:
- T1578
id: 9736e5f1-7b6e-4bfb-a708-e53ff1d182c3
queryFrequency: 1d
status: Available
triggerOperator: gt
version: 2.0.3
entityMappings:
- entityType: Account
fieldMappings:
- columnName: Caller
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- entityType: Host
fieldMappings:
- columnName: ComputerName
identifier: HostName
- entityType: IP
fieldMappings:
- columnName: CallerIpAddress
identifier: Address