Rules Contributing to Azure New CloudShell Created Alert

The following rules are used to identify events when an Azure new Cloud Shell is changed. Any one or more of these will trigger the Azure New CloudShell Created Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Azure New CloudShell Created

Identifies when a new cloudshell is created inside of Azure portal.

Rule ID

azure_56

Query

{'selection': {'operationName': 'MICROSOFT.PORTAL/CONSOLES/WRITE'}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,72af37e2-ec32-47dc-992b-bc288a2708cb

Author: Austin Songer

Tactics, Techniques, and Procedures

References

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

Severity

50

Suppression Logic Based On

azure_activity_log.resourceId
azure_activity_log.operationName
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/09/21	medium	A new cloudshell may be created by a system administrator.

Stellar Cyber version 5.3.0

© 2024 Stellar Cyber. All rights reserved.
Support | Contact Us |