Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Workspace deletion activity from an infected device

Workspace deletion activity from an infected device

Back
Ida5b3429d-f1da-42b9-883c-327ecb7b91ff
RulenameWorkspace deletion activity from an infected device
DescriptionThis query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity.

Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.
SeverityMedium
TacticsInitialAccess
Impact
TechniquesT1078
T1489
Required data connectorsAzureActiveDirectoryIdentityProtection
AzureActivity
BehaviorAnalytics
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml
Version1.0.8
Arm templatea5b3429d-f1da-42b9-883c-327ecb7b91ff.json
Deploy To Azure
SecurityAlert
| where TimeGenerated > ago(1d)
| where ProductName == "Azure Active Directory Identity Protection"
| where AlertName == "Sign-in from an infected device"
| mv-apply EntityAccount=todynamic(Entities) on
(
where EntityAccount.Type == "account"
| extend AadTenantId = tostring(EntityAccount.AadTenantId), AadUserId = tostring(EntityAccount.AadUserId)
)
| mv-apply EntityIp=todynamic(Entities) on
(
where EntityIp.Type == "ip"
| extend IpAddress = tostring(EntityIp.Address)
)
| join kind=inner (
IdentityInfo
| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName
| extend UserAccount = AccountUPN
| extend UserName = AccountDisplayName
| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)
| project AccountTenantId, AccountObjectId, UserAccount, UserName
)
on
$left.AadTenantId == $right.AccountTenantId,
$left.AadUserId == $right.AccountObjectId
| extend CompromisedEntity = iff(CompromisedEntity == "N/A" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)
| project  AlertName, AlertSeverity, CompromisedEntity, UserAccount, IpAddress, TimeGenerated, UserName
| join kind=inner 
(
AzureActivity
| where OperationNameValue has_any ("/workspaces/computes/delete", "workspaces/delete") 
| where ActivityStatusValue has_any ("Succeeded", "Success")
| project TimeGenerated, ResourceProviderValue, _ResourceId, SubscriptionId, UserAccount=Caller, IpAddress=CallerIpAddress, CorrelationId, OperationId, ResourceGroup, TenantId
) on IpAddress, UserAccount
| extend AccountName = tostring(split(UserAccount, "@")[0]), AccountUPNSuffix = tostring(split(UserAccount, "@")[1])

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: UserAccount
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IpAddress
- entityType: AzureResource
  fieldMappings:
  - identifier: ResourceId
    columnName: _ResourceId
tactics:
- InitialAccess
- Impact
requiredDataConnectors:
- dataTypes:
  - SecurityAlert (IPC)
  connectorId: AzureActiveDirectoryIdentityProtection
- dataTypes:
  - AzureActivity
  connectorId: AzureActivity
- dataTypes:
  - IdentityInfo
  connectorId: BehaviorAnalytics
id: a5b3429d-f1da-42b9-883c-327ecb7b91ff
severity: Medium
query: |
  SecurityAlert
  | where TimeGenerated > ago(1d)
  | where ProductName == "Azure Active Directory Identity Protection"
  | where AlertName == "Sign-in from an infected device"
  | mv-apply EntityAccount=todynamic(Entities) on
  (
  where EntityAccount.Type == "account"
  | extend AadTenantId = tostring(EntityAccount.AadTenantId), AadUserId = tostring(EntityAccount.AadUserId)
  )
  | mv-apply EntityIp=todynamic(Entities) on
  (
  where EntityIp.Type == "ip"
  | extend IpAddress = tostring(EntityIp.Address)
  )
  | join kind=inner (
  IdentityInfo
  | distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName
  | extend UserAccount = AccountUPN
  | extend UserName = AccountDisplayName
  | where isnotempty(AccountDisplayName) and isnotempty(UserAccount)
  | project AccountTenantId, AccountObjectId, UserAccount, UserName
  )
  on
  $left.AadTenantId == $right.AccountTenantId,
  $left.AadUserId == $right.AccountObjectId
  | extend CompromisedEntity = iff(CompromisedEntity == "N/A" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)
  | project  AlertName, AlertSeverity, CompromisedEntity, UserAccount, IpAddress, TimeGenerated, UserName
  | join kind=inner 
  (
  AzureActivity
  | where OperationNameValue has_any ("/workspaces/computes/delete", "workspaces/delete") 
  | where ActivityStatusValue has_any ("Succeeded", "Success")
  | project TimeGenerated, ResourceProviderValue, _ResourceId, SubscriptionId, UserAccount=Caller, IpAddress=CallerIpAddress, CorrelationId, OperationId, ResourceGroup, TenantId
  ) on IpAddress, UserAccount
  | extend AccountName = tostring(split(UserAccount, "@")[0]), AccountUPNSuffix = tostring(split(UserAccount, "@")[1])  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml
kind: Scheduled
queryPeriod: 14d
metadata:
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Security - Threat Protection
    - Platform
  support:
    tier: Community
  source:
    kind: Community
version: 1.0.8
name: Workspace deletion activity from an infected device
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1078
- T1489
description: |
  'This query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity. 
  Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.'  
triggerOperator: gt