Rules Contributing to Suspicious Azure Deployment Activity Alert

The following rules are used to identify suspicious Azure deployment activity. Any one or more of these will trigger the Suspicious Azure Deployment Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Number Of Resource Creation Or Deployment Activities

Number of VM creations or deployment activities occur in Azure via Azure Activity Log.

More details

Rule ID

azure_48

Query

{'selection': {'OperationNameValue': ['Microsoft.Compute/virtualMachines/write', 'Microsoft.Resources/deployments/write']}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,d2d901db-7a75-45a1-bc39-0cbf00812192

Author: sawwinnnaung

Tactics, Techniques, and Procedures

TA0040, T1496

References

https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml

Severity

Suppression Logic Based On

azure_activity_log.resourceId
azure_activity_log.operationName
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/05/07	medium	Valid change

Azure Container Registry Modified or Deleted

Detects when a Container Registry is created, updated, or deleted.

More details

Rule ID

azure_65

Query

{'selection': {'operationName': ['MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE', 'MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE']}, 'condition': 'selection'}