Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Suspicious AWS EC2 Compute Resource Deployments

Suspicious AWS EC2 Compute Resource Deployments

Back
Id9e457dc4-81f0-4d25-bc37-a5fa4a17946a
RulenameSuspicious AWS EC2 Compute Resource Deployments
DescriptionThis detection focused on Suspicious deployment of AWS EC2 resource (virtual machine) scale sets was detected. This behavior might indicate that the threat actor is deploying computing resources for cryptocurrency mining activities.This detection centers around identifying suspicious instances of AWS EC2 resource deployment, particularly scale sets. Such behavior raises concerns of potential threat actor involvement, potentially indicative of efforts to deploy computing resources for the purpose of cryptocurrency mining activities.
SeverityMedium
TacticsImpact
TechniquesT1496
Required data connectorsAWS
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSEC2ComputeResourceDeployments.yaml
Version1.0.0
Arm template9e457dc4-81f0-4d25-bc37-a5fa4a17946a.json
Deploy To Azure
// Retrieve AWS CloudTrail events generated within the last day
AWSCloudTrail
// Filter events related to instance creation
| where EventName =~ "RunInstances"
// Exclude events with error messages
| where isempty(ErrorMessage)
// Extract the event source type
| extend EventSourceSplit = split(EventSource, ".")
| extend Type = tostring(EventSourceSplit[0])
// Extract instance-related details from the event data
| extend instance = tostring(parse_json(RequestParameters).instanceType),platform = tostring(parse_json(ResponseElements).instancesSet.items[0].platform)
// Determine the operating system platform
| extend OSplatform = iff(isempty(platform), tostring("Linux"), platform),CPU = tostring(parse_json(ResponseElements).instancesSet.items[0].cpuOptions),core = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.coreCount),corThread = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.threadsPerCore),InstanceId = tostring(parse_json(ResponseElements).instancesSet.items[0].instanceId)
// Filter out instances with empty core values
| where isnotempty(core)
// Calculate the total compute based on core and thread counts
| extend totalCorecompute = core * corThread
// Summarize relevant information for analysis
| summarize Start= min(TimeGenerated),
  end=   max(TimeGenerated),
  totalgpu= sum(totalCorecompute)
  by SourceIpAddress, UserIdentityArn, UserAgent
// Filter results based on total GPU compute and time duration
| where totalgpu > 800
| where datetime_diff('hour', end, Start) < 8

severity: Medium
name: Suspicious AWS EC2 Compute Resource Deployments
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSEC2ComputeResourceDeployments.yaml
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
id: 9e457dc4-81f0-4d25-bc37-a5fa4a17946a
tactics:
- Impact
queryFrequency: 1d
triggerOperator: gt
customDetails:
  SourceIpAddress: SourceIpAddress
  UserAgent: UserAgent
  AWSUser: UserIdentityArn
description: |
    'This detection focused on Suspicious deployment of AWS EC2 resource (virtual machine) scale sets was detected. This behavior might indicate that the threat actor is deploying computing resources for cryptocurrency mining activities.This detection centers around identifying suspicious instances of AWS EC2 resource deployment, particularly scale sets. Such behavior raises concerns of potential threat actor involvement, potentially indicative of efforts to deploy computing resources for the purpose of cryptocurrency mining activities.
triggerThreshold: 0
kind: Scheduled
relevantTechniques:
- T1496
query: |
  // Retrieve AWS CloudTrail events generated within the last day
  AWSCloudTrail
  // Filter events related to instance creation
  | where EventName =~ "RunInstances"
  // Exclude events with error messages
  | where isempty(ErrorMessage)
  // Extract the event source type
  | extend EventSourceSplit = split(EventSource, ".")
  | extend Type = tostring(EventSourceSplit[0])
  // Extract instance-related details from the event data
  | extend instance = tostring(parse_json(RequestParameters).instanceType),platform = tostring(parse_json(ResponseElements).instancesSet.items[0].platform)
  // Determine the operating system platform
  | extend OSplatform = iff(isempty(platform), tostring("Linux"), platform),CPU = tostring(parse_json(ResponseElements).instancesSet.items[0].cpuOptions),core = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.coreCount),corThread = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.threadsPerCore),InstanceId = tostring(parse_json(ResponseElements).instancesSet.items[0].instanceId)
  // Filter out instances with empty core values
  | where isnotempty(core)
  // Calculate the total compute based on core and thread counts
  | extend totalCorecompute = core * corThread
  // Summarize relevant information for analysis
  | summarize Start= min(TimeGenerated),
    end=   max(TimeGenerated),
    totalgpu= sum(totalCorecompute)
    by SourceIpAddress, UserIdentityArn, UserAgent
  // Filter results based on total GPU compute and time duration
  | where totalgpu > 800
  | where datetime_diff('hour', end, Start) < 8
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
version: 1.0.0
queryPeriod: 1d

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9e457dc4-81f0-4d25-bc37-a5fa4a17946a')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9e457dc4-81f0-4d25-bc37-a5fa4a17946a')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Suspicious AWS EC2 Compute Resource Deployments",
        "description": "'This detection focused on Suspicious deployment of AWS EC2 resource (virtual machine) scale sets was detected. This behavior might indicate that the threat actor is deploying computing resources for cryptocurrency mining activities.This detection centers around identifying suspicious instances of AWS EC2 resource deployment, particularly scale sets. Such behavior raises concerns of potential threat actor involvement, potentially indicative of efforts to deploy computing resources for the purpose of cryptocurrency mining activities.\n",
        "severity": "Medium",
        "enabled": true,
        "query": "// Retrieve AWS CloudTrail events generated within the last day\nAWSCloudTrail\n// Filter events related to instance creation\n| where EventName =~ \"RunInstances\"\n// Exclude events with error messages\n| where isempty(ErrorMessage)\n// Extract the event source type\n| extend EventSourceSplit = split(EventSource, \".\")\n| extend Type = tostring(EventSourceSplit[0])\n// Extract instance-related details from the event data\n| extend instance = tostring(parse_json(RequestParameters).instanceType),platform = tostring(parse_json(ResponseElements).instancesSet.items[0].platform)\n// Determine the operating system platform\n| extend OSplatform = iff(isempty(platform), tostring(\"Linux\"), platform),CPU = tostring(parse_json(ResponseElements).instancesSet.items[0].cpuOptions),core = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.coreCount),corThread = toint(parse_json(ResponseElements).instancesSet.items[0].cpuOptions.threadsPerCore),InstanceId = tostring(parse_json(ResponseElements).instancesSet.items[0].instanceId)\n// Filter out instances with empty core values\n| where isnotempty(core)\n// Calculate the total compute based on core and thread counts\n| extend totalCorecompute = core * corThread\n// Summarize relevant information for analysis\n| summarize Start= min(TimeGenerated),\n  end=   max(TimeGenerated),\n  totalgpu= sum(totalCorecompute)\n  by SourceIpAddress, UserIdentityArn, UserAgent\n// Filter results based on total GPU compute and time duration\n| where totalgpu > 800\n| where datetime_diff('hour', end, Start) < 8\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1496"
        ],
        "alertRuleTemplateName": "9e457dc4-81f0-4d25-bc37-a5fa4a17946a",
        "customDetails": {
          "SourceIpAddress": "SourceIpAddress",
          "UserAgent": "UserAgent",
          "AWSUser": "UserIdentityArn"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "SourceIpAddress"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/SuspiciousAWSEC2ComputeResourceDeployments.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}