Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Creation of expensive computes in Azure

Back
Id9736e5f1-7b6e-4bfb-a708-e53ff1d182c3
RulenameCreation of expensive computes in Azure
DescriptionIdentifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.

Adversary may create new or update existing virtual machines sizes to evade defenses

or use it for cryptomining purposes.

For Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes

Azure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions
SeverityLow
TacticsDefenseEvasion
TechniquesT1578
Required data connectorsAzureActivity
KindScheduled
Query frequency1d
Query period1d
Trigger threshold1
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Creation_of_Expensive_Computes_in_Azure.yaml
Version2.0.0
Arm template9736e5f1-7b6e-4bfb-a708-e53ff1d182c3.json
Deploy To Azure
let tokens = dynamic(["416","208","128","120","96","80","72","64","48","44","40","g5","gs5","g4","gs4","nc12","nc24","nv12"]);
let operationList = dynamic(["microsoft.compute/virtualmachines/write", "microsoft.resources/deployments/write"]);
AzureActivity
| where tolower(OperationNameValue) in (operationList)
| where ActivityStatusValue == "Accepted" 
| where isnotempty(Properties)
| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))
| where isnotempty(vmSize)
| where vmSize has_any (tokens) 
| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)
| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)
| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
queryFrequency: 1d
triggerOperator: gt
tactics:
- DefenseEvasion
description: |
  'Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.
  Adversary may create new or update existing virtual machines sizes to evade defenses 
  or use it for cryptomining purposes.
  For Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes 
  Azure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions'  
status: Available
relevantTechniques:
- T1578
name: Creation of expensive computes in Azure
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Creation_of_Expensive_Computes_in_Azure.yaml
severity: Low
triggerThreshold: 1
version: 2.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
query: |
  let tokens = dynamic(["416","208","128","120","96","80","72","64","48","44","40","g5","gs5","g4","gs4","nc12","nc24","nv12"]);
  let operationList = dynamic(["microsoft.compute/virtualmachines/write", "microsoft.resources/deployments/write"]);
  AzureActivity
  | where tolower(OperationNameValue) in (operationList)
  | where ActivityStatusValue == "Accepted" 
  | where isnotempty(Properties)
  | extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))
  | where isnotempty(vmSize)
  | where vmSize has_any (tokens) 
  | extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)
  | extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)
  | project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize
  | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress  
id: 9736e5f1-7b6e-4bfb-a708-e53ff1d182c3
requiredDataConnectors:
- connectorId: AzureActivity
  dataTypes:
  - AzureActivity
kind: Scheduled
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Creation of expensive computes in Azure",
        "description": "'Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\nAdversary may create new or update existing virtual machines sizes to evade defenses \nor use it for cryptomining purposes.\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let tokens = dynamic([\"416\",\"208\",\"128\",\"120\",\"96\",\"80\",\"72\",\"64\",\"48\",\"44\",\"40\",\"g5\",\"gs5\",\"g4\",\"gs4\",\"nc12\",\"nc24\",\"nv12\"]);\nlet operationList = dynamic([\"microsoft.compute/virtualmachines/write\", \"microsoft.resources/deployments/write\"]);\nAzureActivity\n| where tolower(OperationNameValue) in (operationList)\n| where ActivityStatusValue == \"Accepted\" \n| where isnotempty(Properties)\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\n| where isnotempty(vmSize)\n| where vmSize has_any (tokens) \n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1578"
        ],
        "alertRuleTemplateName": "9736e5f1-7b6e-4bfb-a708-e53ff1d182c3",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Creation_of_Expensive_Computes_in_Azure.yaml",
        "status": "Available",
        "templateVersion": "2.0.0"
      }
    }
  ]
}