let starttime = 14d;
let endtime = 1d;
let timeframe = 1d;
let TotalEventsThreshold = 25;
let TimeSeriesData = AzureActivity
| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))
| where OperationNameValue endswith "delete"
| project TimeGenerated, Caller
| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Caller;
TimeSeriesData
| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit')
| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)
| where TimeGenerated >= startofday(ago(endtime))
| where anomalies > 0
| project Caller, TimeGenerated, Total, baseline, anomalies, score
| where Total > TotalEventsThreshold and baseline > 0
| join (AzureActivity
| where TimeGenerated > startofday(ago(endtime))
| where OperationNameValue endswith "delete"
| summarize count(), make_set(OperationNameValue,100), make_set(_ResourceId,100) by bin(TimeGenerated, timeframe), Caller ) on TimeGenerated, Caller
| extend Name = iif(Caller has '@',tostring(split(Caller,'@',0)[0]),"")
| extend UPNSuffix = iif(Caller has '@',tostring(split(Caller,'@',1)[0]),"")
| extend AadUserId = iif(Caller !has '@',Caller,"")
description: |
'This query generates the baseline pattern of cloud resource deletions by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary.'
entityMappings:
- fieldMappings:
- columnName: Caller
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: AadUserId
identifier: AadUserId
entityType: Account
query: |
let starttime = 14d;
let endtime = 1d;
let timeframe = 1d;
let TotalEventsThreshold = 25;
let TimeSeriesData = AzureActivity
| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))
| where OperationNameValue endswith "delete"
| project TimeGenerated, Caller
| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Caller;
TimeSeriesData
| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit')
| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)
| where TimeGenerated >= startofday(ago(endtime))
| where anomalies > 0
| project Caller, TimeGenerated, Total, baseline, anomalies, score
| where Total > TotalEventsThreshold and baseline > 0
| join (AzureActivity
| where TimeGenerated > startofday(ago(endtime))
| where OperationNameValue endswith "delete"
| summarize count(), make_set(OperationNameValue,100), make_set(_ResourceId,100) by bin(TimeGenerated, timeframe), Caller ) on TimeGenerated, Caller
| extend Name = iif(Caller has '@',tostring(split(Caller,'@',0)[0]),"")
| extend UPNSuffix = iif(Caller has '@',tostring(split(Caller,'@',1)[0]),"")
| extend AadUserId = iif(Caller !has '@',Caller,"")
tactics:
- Impact
severity: Medium
triggerThreshold: 0
queryFrequency: 1d
status: Available
queryPeriod: 14d
relevantTechniques:
- T1485
tags:
- DEV-0537
id: ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b
name: Mass Cloud resource deletions Time Series Anomaly
kind: Scheduled
triggerOperator: gt
version: 2.0.4
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml
requiredDataConnectors:
- dataTypes:
- AzureActivity
connectorId: AzureActivity
