Creation of expensive computes in Azure
| Id | 9736e5f1-7b6e-4bfb-a708-e53ff1d182c3 |
| Rulename | Creation of expensive computes in Azure |
| Description | Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure. Adversary may create new or update existing virtual machines sizes to evade defenses or use it for cryptomining purposes. For Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes Azure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions |
| Severity | Low |
| Tactics | DefenseEvasion |
| Techniques | T1578 |
| Required data connectors | AzureActivity |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 1 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Creation_of_Expensive_Computes_in_Azure.yaml |
| Version | 2.0.0 |
| Arm template | 9736e5f1-7b6e-4bfb-a708-e53ff1d182c3.json |
let tokens = dynamic(["416","208","128","120","96","80","72","64","48","44","40","g5","gs5","g4","gs4","nc12","nc24","nv12"]);
let operationList = dynamic(["microsoft.compute/virtualmachines/write", "microsoft.resources/deployments/write"]);
AzureActivity
| where tolower(OperationNameValue) in (operationList)
| where ActivityStatusValue == "Accepted"
| where isnotempty(Properties)
| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))
| where isnotempty(vmSize)
| where vmSize has_any (tokens)
| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)
| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)
| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
queryFrequency: 1d
triggerOperator: gt
tactics:
- DefenseEvasion
description: |
'Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.
Adversary may create new or update existing virtual machines sizes to evade defenses
or use it for cryptomining purposes.
For Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes
Azure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions'
status: Available
relevantTechniques:
- T1578
name: Creation of expensive computes in Azure
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Creation_of_Expensive_Computes_in_Azure.yaml
severity: Low
triggerThreshold: 1
version: 2.0.0
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
query: |
let tokens = dynamic(["416","208","128","120","96","80","72","64","48","44","40","g5","gs5","g4","gs4","nc12","nc24","nv12"]);
let operationList = dynamic(["microsoft.compute/virtualmachines/write", "microsoft.resources/deployments/write"]);
AzureActivity
| where tolower(OperationNameValue) in (operationList)
| where ActivityStatusValue == "Accepted"
| where isnotempty(Properties)
| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))
| where isnotempty(vmSize)
| where vmSize has_any (tokens)
| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)
| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)
| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
id: 9736e5f1-7b6e-4bfb-a708-e53ff1d182c3
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
kind: Scheduled
queryPeriod: 1d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Creation of expensive computes in Azure",
"description": "'Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\nAdversary may create new or update existing virtual machines sizes to evade defenses \nor use it for cryptomining purposes.\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions'\n",
"severity": "Low",
"enabled": true,
"query": "let tokens = dynamic([\"416\",\"208\",\"128\",\"120\",\"96\",\"80\",\"72\",\"64\",\"48\",\"44\",\"40\",\"g5\",\"gs5\",\"g4\",\"gs4\",\"nc12\",\"nc24\",\"nv12\"]);\nlet operationList = dynamic([\"microsoft.compute/virtualmachines/write\", \"microsoft.resources/deployments/write\"]);\nAzureActivity\n| where tolower(OperationNameValue) in (operationList)\n| where ActivityStatusValue == \"Accepted\" \n| where isnotempty(Properties)\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\n| where isnotempty(vmSize)\n| where vmSize has_any (tokens) \n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 1,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1578"
],
"alertRuleTemplateName": "9736e5f1-7b6e-4bfb-a708-e53ff1d182c3",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/Creation_of_Expensive_Computes_in_Azure.yaml",
"status": "Available",
"templateVersion": "2.0.0"
}
}
]
}