Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Threat Essentials - Mass Cloud resource deletions Time Series Anomaly

Back
Idfa2658fe-3714-4c55-bb12-2b7275c628e8
RulenameThreat Essentials - Mass Cloud resource deletions Time Series Anomaly
DescriptionThis query generates baseline pattern of cloud resource deletions by an user and generated anomaly when any unusual spike is detected.

These anomalies from unusual or privileged users could be an indication of cloud infrastructure take-down by an adversary
SeverityMedium
TacticsImpact
TechniquesT1485
Required data connectorsAzureActivity
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityThreatEssentialSolution/Analytic Rules/Threat_Essentials_TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml
Version1.0.2
Arm templatefa2658fe-3714-4c55-bb12-2b7275c628e8.json
Deploy To Azure
let starttime = 14d;
let endtime = 1d;
let timeframe = 1h;
let TotalEventsThreshold = 25; 
let TimeSeriesData = 
AzureActivity 
| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
| where OperationNameValue endswith "delete" 
| project TimeGenerated, Caller 
| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; 
let TimeSeriesAlerts = materialize(TimeSeriesData 
| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit') 
| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) 
| where anomalies > 0 
| project Caller, TimeGenerated, Total, baseline, anomalies, score 
| where Total > TotalEventsThreshold and baseline > 0 ); 
TimeSeriesAlerts 
| where TimeGenerated > (ago(endtime)) 
| project TimeGenerated, Caller 
| join kind = inner (AzureActivity 
| where TimeGenerated > (ago(endtime)) 
| where OperationNameValue endswith "delete" 
| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller 
| extend Name = iif(Caller has '@',tostring(split(Caller,'@',0)[0]),"")
| extend UPNSuffix = iif(Caller has '@',tostring(split(Caller,'@',1)[0]),"")
| extend AadUserId = iif(Caller !has '@',Caller,"")
name: Threat Essentials - Mass Cloud resource deletions Time Series Anomaly
version: 1.0.2
severity: Medium
queryFrequency: 1d
triggerOperator: gt
tags:
- DEV-0537
relevantTechniques:
- T1485
status: Available
description: |
  'This query generates baseline pattern of cloud resource deletions by an user and generated anomaly when any unusual spike is detected.
  These anomalies from unusual or privileged users could be an indication of cloud infrastructure take-down by an adversary '  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityThreatEssentialSolution/Analytic Rules/Threat_Essentials_TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml
requiredDataConnectors:
- connectorId: AzureActivity
  dataTypes:
  - AzureActivity
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
  - identifier: AadUserId
    columnName: AadUserId
  entityType: Account
tactics:
- Impact
queryPeriod: 14d
query: |
  let starttime = 14d;
  let endtime = 1d;
  let timeframe = 1h;
  let TotalEventsThreshold = 25; 
  let TimeSeriesData = 
  AzureActivity 
  | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
  | where OperationNameValue endswith "delete" 
  | project TimeGenerated, Caller 
  | make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; 
  let TimeSeriesAlerts = materialize(TimeSeriesData 
  | extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit') 
  | mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) 
  | where anomalies > 0 
  | project Caller, TimeGenerated, Total, baseline, anomalies, score 
  | where Total > TotalEventsThreshold and baseline > 0 ); 
  TimeSeriesAlerts 
  | where TimeGenerated > (ago(endtime)) 
  | project TimeGenerated, Caller 
  | join kind = inner (AzureActivity 
  | where TimeGenerated > (ago(endtime)) 
  | where OperationNameValue endswith "delete" 
  | summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller 
  | extend Name = iif(Caller has '@',tostring(split(Caller,'@',0)[0]),"")
  | extend UPNSuffix = iif(Caller has '@',tostring(split(Caller,'@',1)[0]),"")
  | extend AadUserId = iif(Caller !has '@',Caller,"")  
kind: Scheduled
triggerThreshold: 0
id: fa2658fe-3714-4c55-bb12-2b7275c628e8
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa2658fe-3714-4c55-bb12-2b7275c628e8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa2658fe-3714-4c55-bb12-2b7275c628e8')]",
      "properties": {
        "alertRuleTemplateName": "fa2658fe-3714-4c55-bb12-2b7275c628e8",
        "customDetails": null,
        "description": "'This query generates baseline pattern of cloud resource deletions by an user and generated anomaly when any unusual spike is detected.\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure take-down by an adversary '\n",
        "displayName": "Threat Essentials - Mass Cloud resource deletions Time Series Anomaly",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              },
              {
                "columnName": "AadUserId",
                "identifier": "AadUserId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityThreatEssentialSolution/Analytic Rules/Threat_Essentials_TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml",
        "query": "let starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet TotalEventsThreshold = 25; \nlet TimeSeriesData = \nAzureActivity \n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where OperationNameValue endswith \"delete\" \n| project TimeGenerated, Caller \n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \nlet TimeSeriesAlerts = materialize(TimeSeriesData \n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit') \n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \n| where anomalies > 0 \n| project Caller, TimeGenerated, Total, baseline, anomalies, score \n| where Total > TotalEventsThreshold and baseline > 0 ); \nTimeSeriesAlerts \n| where TimeGenerated > (ago(endtime)) \n| project TimeGenerated, Caller \n| join kind = inner (AzureActivity \n| where TimeGenerated > (ago(endtime)) \n| where OperationNameValue endswith \"delete\" \n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \n| extend Name = iif(Caller has '@',tostring(split(Caller,'@',0)[0]),\"\")\n| extend UPNSuffix = iif(Caller has '@',tostring(split(Caller,'@',1)[0]),\"\")\n| extend AadUserId = iif(Caller !has '@',Caller,\"\")\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "tags": [
          "DEV-0537"
        ],
        "techniques": [
          "T1485"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}