Techniques
Sample rules
Rare Subscription-level Operations In Azure
- source: sigma
- technicques:
- t1003
Description
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
Detection logic
condition: keywords
keywords:
- Microsoft.DocumentDB/databaseAccounts/listKeys/action
- Microsoft.Maps/accounts/listKeys/action
- Microsoft.Media/mediaservices/listKeys/action
- Microsoft.CognitiveServices/accounts/listKeys/action
- Microsoft.Storage/storageAccounts/listKeys/action
- Microsoft.Compute/snapshots/write
- Microsoft.Network/networkSecurityGroups/write
Number Of Resource Creation Or Deployment Activities
- source: sigma
- technicques:
- t1098
Description
Number of VM creations or deployment activities occur in Azure via the azureactivity log.
Detection logic
condition: keywords
keywords:
- Microsoft.Compute/virtualMachines/write
- Microsoft.Resources/deployments/write
Granting Of Permissions To An Account
- source: sigma
- technicques:
- t1098
- t1098.003
Description
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
Detection logic
condition: keywords
keywords:
- Microsoft.Authorization/roleAssignments/write