Threat Essentials - Mass Cloud resource deletions Time Series Anomaly
| Id | fa2658fe-3714-4c55-bb12-2b7275c628e8 |
| Rulename | Threat Essentials - Mass Cloud resource deletions Time Series Anomaly |
| Description | This query generates baseline pattern of cloud resource deletions by an user and generated anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of cloud infrastructure take-down by an adversary |
| Severity | Medium |
| Tactics | Impact |
| Techniques | T1485 |
| Required data connectors | AzureActivity |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityThreatEssentialSolution/Analytic Rules/Threat_Essentials_TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml |
| Version | 1.0.0 |
| Arm template | fa2658fe-3714-4c55-bb12-2b7275c628e8.json |
let starttime = 14d;
let endtime = 1d;
let timeframe = 1h;
let TotalEventsThreshold = 25;
let TimeSeriesData =
AzureActivity
| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
| where OperationNameValue endswith "delete"
| project TimeGenerated, Caller
| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller;
let TimeSeriesAlerts = materialize(TimeSeriesData
| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit')
| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)
| where anomalies > 0
| project Caller, TimeGenerated, Total, baseline, anomalies, score
| where Total > TotalEventsThreshold and baseline > 0 );
TimeSeriesAlerts
| where TimeGenerated > (ago(endtime))
| project TimeGenerated, Caller
| join (AzureActivity
| where TimeGenerated > (ago(endtime))
| where OperationNameValue endswith "delete"
| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller
version: 1.0.0
status: Available
queryFrequency: 1d
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
entityType: Account
kind: Scheduled
queryPeriod: 14d
severity: Medium
query: |
let starttime = 14d;
let endtime = 1d;
let timeframe = 1h;
let TotalEventsThreshold = 25;
let TimeSeriesData =
AzureActivity
| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
| where OperationNameValue endswith "delete"
| project TimeGenerated, Caller
| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller;
let TimeSeriesAlerts = materialize(TimeSeriesData
| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit')
| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)
| where anomalies > 0
| project Caller, TimeGenerated, Total, baseline, anomalies, score
| where Total > TotalEventsThreshold and baseline > 0 );
TimeSeriesAlerts
| where TimeGenerated > (ago(endtime))
| project TimeGenerated, Caller
| join (AzureActivity
| where TimeGenerated > (ago(endtime))
| where OperationNameValue endswith "delete"
| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller
tags:
- DEV-0537
triggerOperator: gt
id: fa2658fe-3714-4c55-bb12-2b7275c628e8
description: |
'This query generates baseline pattern of cloud resource deletions by an user and generated anomaly
when any unusual spike is detected.
These anomalies from unusual or privileged users could be an indication of cloud infrastructure
take-down by an adversary '
triggerThreshold: 0
name: Threat Essentials - Mass Cloud resource deletions Time Series Anomaly
relevantTechniques:
- T1485
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityThreatEssentialSolution/Analytic Rules/Threat_Essentials_TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa2658fe-3714-4c55-bb12-2b7275c628e8')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa2658fe-3714-4c55-bb12-2b7275c628e8')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Threat Essentials - Mass Cloud resource deletions Time Series Anomaly",
"description": "'This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \nwhen any unusual spike is detected.\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \ntake-down by an adversary '\n",
"severity": "Medium",
"enabled": true,
"query": "let starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet TotalEventsThreshold = 25; \nlet TimeSeriesData = \nAzureActivity \n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where OperationNameValue endswith \"delete\" \n| project TimeGenerated, Caller \n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \nlet TimeSeriesAlerts = materialize(TimeSeriesData \n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit') \n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \n| where anomalies > 0 \n| project Caller, TimeGenerated, Total, baseline, anomalies, score \n| where Total > TotalEventsThreshold and baseline > 0 ); \nTimeSeriesAlerts \n| where TimeGenerated > (ago(endtime)) \n| project TimeGenerated, Caller \n| join (AzureActivity \n| where TimeGenerated > (ago(endtime)) \n| where OperationNameValue endswith \"delete\" \n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1485"
],
"alertRuleTemplateName": "fa2658fe-3714-4c55-bb12-2b7275c628e8",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
}
],
"tags": [
"DEV-0537"
],
"status": "Available",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityThreatEssentialSolution/Analytic Rules/Threat_Essentials_TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml",
"templateVersion": "1.0.0"
}
}
]
}