Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Workspace deletion activity from an infected device

Back
Ida5b3429d-f1da-42b9-883c-327ecb7b91ff
RulenameWorkspace deletion activity from an infected device
DescriptionThis query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity.

Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.
SeverityMedium
TacticsInitialAccess
Impact
TechniquesT1078
T1489
Required data connectorsAzureActiveDirectoryIdentityProtection
AzureActivity
BehaviorAnalytics
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml
Version1.0.8
Arm templatea5b3429d-f1da-42b9-883c-327ecb7b91ff.json
Deploy To Azure
SecurityAlert
| where TimeGenerated > ago(1d)
| where ProductName == "Azure Active Directory Identity Protection"
| where AlertName == "Sign-in from an infected device"
| mv-apply EntityAccount=todynamic(Entities) on
(
where EntityAccount.Type == "account"
| extend AadTenantId = tostring(EntityAccount.AadTenantId), AadUserId = tostring(EntityAccount.AadUserId)
)
| mv-apply EntityIp=todynamic(Entities) on
(
where EntityIp.Type == "ip"
| extend IpAddress = tostring(EntityIp.Address)
)
| join kind=inner (
IdentityInfo
| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName
| extend UserAccount = AccountUPN
| extend UserName = AccountDisplayName
| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)
| project AccountTenantId, AccountObjectId, UserAccount, UserName
)
on
$left.AadTenantId == $right.AccountTenantId,
$left.AadUserId == $right.AccountObjectId
| extend CompromisedEntity = iff(CompromisedEntity == "N/A" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)
| project  AlertName, AlertSeverity, CompromisedEntity, UserAccount, IpAddress, TimeGenerated, UserName
| join kind=inner 
(
AzureActivity
| where OperationNameValue has_any ("/workspaces/computes/delete", "workspaces/delete") 
| where ActivityStatusValue has_any ("Succeeded", "Success")
| project TimeGenerated, ResourceProviderValue, _ResourceId, SubscriptionId, UserAccount=Caller, IpAddress=CallerIpAddress, CorrelationId, OperationId, ResourceGroup, TenantId
) on IpAddress, UserAccount
| extend AccountName = tostring(split(UserAccount, "@")[0]), AccountUPNSuffix = tostring(split(UserAccount, "@")[1])
name: Workspace deletion activity from an infected device
severity: Medium
queryFrequency: 1d
triggerOperator: gt
relevantTechniques:
- T1078
- T1489
version: 1.0.8
description: |
  'This query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity. 
  Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.'  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml
requiredDataConnectors:
- connectorId: AzureActiveDirectoryIdentityProtection
  dataTypes:
  - SecurityAlert (IPC)
- connectorId: AzureActivity
  dataTypes:
  - AzureActivity
- connectorId: BehaviorAnalytics
  dataTypes:
  - IdentityInfo
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: UserAccount
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IpAddress
  entityType: IP
- fieldMappings:
  - identifier: ResourceId
    columnName: _ResourceId
  entityType: AzureResource
tactics:
- InitialAccess
- Impact
queryPeriod: 14d
query: |
  SecurityAlert
  | where TimeGenerated > ago(1d)
  | where ProductName == "Azure Active Directory Identity Protection"
  | where AlertName == "Sign-in from an infected device"
  | mv-apply EntityAccount=todynamic(Entities) on
  (
  where EntityAccount.Type == "account"
  | extend AadTenantId = tostring(EntityAccount.AadTenantId), AadUserId = tostring(EntityAccount.AadUserId)
  )
  | mv-apply EntityIp=todynamic(Entities) on
  (
  where EntityIp.Type == "ip"
  | extend IpAddress = tostring(EntityIp.Address)
  )
  | join kind=inner (
  IdentityInfo
  | distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName
  | extend UserAccount = AccountUPN
  | extend UserName = AccountDisplayName
  | where isnotempty(AccountDisplayName) and isnotempty(UserAccount)
  | project AccountTenantId, AccountObjectId, UserAccount, UserName
  )
  on
  $left.AadTenantId == $right.AccountTenantId,
  $left.AadUserId == $right.AccountObjectId
  | extend CompromisedEntity = iff(CompromisedEntity == "N/A" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)
  | project  AlertName, AlertSeverity, CompromisedEntity, UserAccount, IpAddress, TimeGenerated, UserName
  | join kind=inner 
  (
  AzureActivity
  | where OperationNameValue has_any ("/workspaces/computes/delete", "workspaces/delete") 
  | where ActivityStatusValue has_any ("Succeeded", "Success")
  | project TimeGenerated, ResourceProviderValue, _ResourceId, SubscriptionId, UserAccount=Caller, IpAddress=CallerIpAddress, CorrelationId, OperationId, ResourceGroup, TenantId
  ) on IpAddress, UserAccount
  | extend AccountName = tostring(split(UserAccount, "@")[0]), AccountUPNSuffix = tostring(split(UserAccount, "@")[1])  
kind: Scheduled
metadata:
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - Threat Protection
    - Platform
  author:
    name: Microsoft Security Research
triggerThreshold: 0
id: a5b3429d-f1da-42b9-883c-327ecb7b91ff
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a5b3429d-f1da-42b9-883c-327ecb7b91ff')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a5b3429d-f1da-42b9-883c-327ecb7b91ff')]",
      "properties": {
        "alertRuleTemplateName": "a5b3429d-f1da-42b9-883c-327ecb7b91ff",
        "customDetails": null,
        "description": "'This query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity. \nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.'\n",
        "displayName": "Workspace deletion activity from an infected device",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserAccount",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IpAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "_ResourceId",
                "identifier": "ResourceId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Suspicious_WorkSpaceDeletion_Attempt.yaml",
        "query": "SecurityAlert\n| where TimeGenerated > ago(1d)\n| where ProductName == \"Azure Active Directory Identity Protection\"\n| where AlertName == \"Sign-in from an infected device\"\n| mv-apply EntityAccount=todynamic(Entities) on\n(\nwhere EntityAccount.Type == \"account\"\n| extend AadTenantId = tostring(EntityAccount.AadTenantId), AadUserId = tostring(EntityAccount.AadUserId)\n)\n| mv-apply EntityIp=todynamic(Entities) on\n(\nwhere EntityIp.Type == \"ip\"\n| extend IpAddress = tostring(EntityIp.Address)\n)\n| join kind=inner (\nIdentityInfo\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\n| extend UserAccount = AccountUPN\n| extend UserName = AccountDisplayName\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\n)\non\n$left.AadTenantId == $right.AccountTenantId,\n$left.AadUserId == $right.AccountObjectId\n| extend CompromisedEntity = iff(CompromisedEntity == \"N/A\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\n| project  AlertName, AlertSeverity, CompromisedEntity, UserAccount, IpAddress, TimeGenerated, UserName\n| join kind=inner \n(\nAzureActivity\n| where OperationNameValue has_any (\"/workspaces/computes/delete\", \"workspaces/delete\") \n| where ActivityStatusValue has_any (\"Succeeded\", \"Success\")\n| project TimeGenerated, ResourceProviderValue, _ResourceId, SubscriptionId, UserAccount=Caller, IpAddress=CallerIpAddress, CorrelationId, OperationId, ResourceGroup, TenantId\n) on IpAddress, UserAccount\n| extend AccountName = tostring(split(UserAccount, \"@\")[0]), AccountUPNSuffix = tostring(split(UserAccount, \"@\")[1])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1489"
        ],
        "templateVersion": "1.0.8",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}