Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Workspace deletion activity from an infected device

Workspace deletion activity from an infected device

Back
Ida5b3429d-f1da-42b9-883c-327ecb7b91ff
RulenameWorkspace deletion activity from an infected device
DescriptionThis query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity.

Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.
SeverityMedium
TacticsInitialAccess
Impact
TechniquesT1078
T1489
Required data connectorsAzureActiveDirectoryIdentityProtection
AzureActivity
BehaviorAnalytics
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml
Version1.0.8
Arm templatea5b3429d-f1da-42b9-883c-327ecb7b91ff.json
Deploy To Azure
SecurityAlert
| where TimeGenerated > ago(1d)
| where ProductName == "Azure Active Directory Identity Protection"
| where AlertName == "Sign-in from an infected device"
| mv-apply EntityAccount=todynamic(Entities) on
(
where EntityAccount.Type == "account"
| extend AadTenantId = tostring(EntityAccount.AadTenantId), AadUserId = tostring(EntityAccount.AadUserId)
)
| mv-apply EntityIp=todynamic(Entities) on
(
where EntityIp.Type == "ip"
| extend IpAddress = tostring(EntityIp.Address)
)
| join kind=inner (
IdentityInfo
| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName
| extend UserAccount = AccountUPN
| extend UserName = AccountDisplayName
| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)
| project AccountTenantId, AccountObjectId, UserAccount, UserName
)
on
$left.AadTenantId == $right.AccountTenantId,
$left.AadUserId == $right.AccountObjectId
| extend CompromisedEntity = iff(CompromisedEntity == "N/A" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)
| project  AlertName, AlertSeverity, CompromisedEntity, UserAccount, IpAddress, TimeGenerated, UserName
| join kind=inner 
(
AzureActivity
| where OperationNameValue has_any ("/workspaces/computes/delete", "workspaces/delete") 
| where ActivityStatusValue has_any ("Succeeded", "Success")
| project TimeGenerated, ResourceProviderValue, _ResourceId, SubscriptionId, UserAccount=Caller, IpAddress=CallerIpAddress, CorrelationId, OperationId, ResourceGroup, TenantId
) on IpAddress, UserAccount
| extend AccountName = tostring(split(UserAccount, "@")[0]), AccountUPNSuffix = tostring(split(UserAccount, "@")[1])

description: |
  'This query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity. 
  Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.'  
query: |
  SecurityAlert
  | where TimeGenerated > ago(1d)
  | where ProductName == "Azure Active Directory Identity Protection"
  | where AlertName == "Sign-in from an infected device"
  | mv-apply EntityAccount=todynamic(Entities) on
  (
  where EntityAccount.Type == "account"
  | extend AadTenantId = tostring(EntityAccount.AadTenantId), AadUserId = tostring(EntityAccount.AadUserId)
  )
  | mv-apply EntityIp=todynamic(Entities) on
  (
  where EntityIp.Type == "ip"
  | extend IpAddress = tostring(EntityIp.Address)
  )
  | join kind=inner (
  IdentityInfo
  | distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName
  | extend UserAccount = AccountUPN
  | extend UserName = AccountDisplayName
  | where isnotempty(AccountDisplayName) and isnotempty(UserAccount)
  | project AccountTenantId, AccountObjectId, UserAccount, UserName
  )
  on
  $left.AadTenantId == $right.AccountTenantId,
  $left.AadUserId == $right.AccountObjectId
  | extend CompromisedEntity = iff(CompromisedEntity == "N/A" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)
  | project  AlertName, AlertSeverity, CompromisedEntity, UserAccount, IpAddress, TimeGenerated, UserName
  | join kind=inner 
  (
  AzureActivity
  | where OperationNameValue has_any ("/workspaces/computes/delete", "workspaces/delete") 
  | where ActivityStatusValue has_any ("Succeeded", "Success")
  | project TimeGenerated, ResourceProviderValue, _ResourceId, SubscriptionId, UserAccount=Caller, IpAddress=CallerIpAddress, CorrelationId, OperationId, ResourceGroup, TenantId
  ) on IpAddress, UserAccount
  | extend AccountName = tostring(split(UserAccount, "@")[0]), AccountUPNSuffix = tostring(split(UserAccount, "@")[1])  
requiredDataConnectors:
- connectorId: AzureActiveDirectoryIdentityProtection
  dataTypes:
  - SecurityAlert (IPC)
- connectorId: AzureActivity
  dataTypes:
  - AzureActivity
- connectorId: BehaviorAnalytics
  dataTypes:
  - IdentityInfo
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserAccount
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: IpAddress
    identifier: Address
- entityType: AzureResource
  fieldMappings:
  - columnName: _ResourceId
    identifier: ResourceId
metadata:
  source:
    kind: Community
  author:
    name: Microsoft Security Research
  support:
    tier: Community
  categories:
    domains:
    - Security - Threat Protection
    - Platform
triggerThreshold: 0
tactics:
- InitialAccess
- Impact
queryPeriod: 14d
triggerOperator: gt
id: a5b3429d-f1da-42b9-883c-327ecb7b91ff
relevantTechniques:
- T1078
- T1489
severity: Medium
name: Workspace deletion activity from an infected device
kind: Scheduled
queryFrequency: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml
version: 1.0.8