Query Details

Azure Cloud Security Monitoring

Query

// Azure Cloud Security Monitoring
// https://www.linkedin.com/pulse/azure-cloud-security-monitoring-steven-lim-vf6ac/

// Detect new blob with allowBlobPublicAccess enabled

AzureActivity
| where OperationNameValue startswith "MICROSOFT.STORAGE/STORAGEACCOUNTS/"
| extend allowBlobPublicAccess = tostring(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).properties)).allowBlobPublicAccess)
| where isnotempty(allowBlobPublicAccess)
| where allowBlobPublicAccess == "true"
| extend ResourceName = tostring(parse_json(Properties).resource)
| extend CallerUPN = tostring(parse_json(Properties).caller)
| project SubscriptionId, CallerIpAddress, CallerUPN, ResourceName, allowBlobPublicAccess

// Detect new public IP address creation

AzureActivity
| where OperationNameValue startswith "Microsoft.Network/publicIPAddresses/write"
| where ActivityStatusValue == "Succeeded" 

// Detect NSG creation or deletion

AzureActivity
| where OperationNameValue =~ "Microsoft.Network/networkSecurityGroups/securityRules/delete" or 
OperationNameValue =~ "Microsoft.Network/networkSecurityGroups/securityRules/write"
| where ActivityStatusValue == "Accept"
| extend NsgName = split(_ResourceId, '/')[8], NsgRule = split(_ResourceId, '/')[10]
| project TimeGenerated, NsgName, NsgRule, ResourceGroup, Caller, CallerIpAddress, _ResourceId

// Detect Azure VM password reset (Lateral movement technique)

ExposureGraphEdges
| where EdgeLabel contains "contains"
| where TargetNodeName contains "PasswordReset"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| project SourceNodeName, TargetNodeName, NodeProperties, EntityIds 

// Detect Privilege Escalation on Azure Service Principal

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) 
and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend AccountID = tostring(NodeProperties.rawData.accountObjectId)
| distinct AccountID;
CloudAppEvents
| where ActivityType == "Add"
| where ActionType == @"Add service principal credentials."
| where AccountId has_any(CriticalIdentities)

// Detect Azure API spray attacks

let threshold=5;
ApiManagementGatewayLogs
| where TimeGenerated > ago(1d)
| where IsRequestSuccess == "false"
| summarize Count=count() by CallerIpAddress
| sort by Count desc
| where Count > threshold

// Detect Azure API Secrets Extraction

CloudAuditEvents
| where Timestamp > ago(30d)
| where OperationName == "Microsoft.ApiManagement/service/tenant/listSecrets/action"
| extend SubscriptionID = tostring(RawEventData.subscriptionId)
| extend PrincipalOID = tostring(RawEventData.principalOid)
| extend ApplicationID = tostring(RawEventData.applicationId)
| extend HttpRequest = tostring(RawEventData.httpRequest)
| extend Properties = tostring(RawEventData.properties)
| project Timestamp, OperationName, PrincipalOID, SubscriptionID, ApplicationID, HttpRequest, Properties 

// Detect Azure VM DNS Threat

DnsEvents
| where IPAddresses != ""
| join ThreatIntelligenceIndicator on $left.Name == $right.DomainName
| where ConfidenceScore > 50

// MITRE ATT&CK Mapping

// T1530 - Data from Cloud Storage Object
// T1583.003 - Acquire Infrastructure: Cloud Account
// T1562.004 - Impair Defenses: Disable or Modify System Firewall
// T1078.004 - Valid Accounts: Cloud Accounts
// T1110.003 - Brute Force: Password Spraying
// T1530 - Data from Cloud Storage Object
// T1071.004 - Application Layer Protocol: DNS

Explanation

This query is a comprehensive Azure cloud security monitoring script designed to detect various security-related activities and potential threats within an Azure environment. Here's a simplified breakdown of what each part of the query does:

  1. Detect New Blob with Public Access Enabled:

    • It checks for any new storage account operations where the setting to allow public access to blobs is enabled. It extracts relevant details like the subscription ID, caller IP address, and resource name.
  2. Detect New Public IP Address Creation:

    • It identifies successful operations related to the creation of new public IP addresses.
  3. Detect Network Security Group (NSG) Creation or Deletion:

    • It monitors for the creation or deletion of security rules within network security groups, providing details like the NSG name, rule, and caller information.
  4. Detect Azure VM Password Reset:

    • It looks for password reset activities on Azure VMs, which could indicate lateral movement techniques used by attackers.
  5. Detect Privilege Escalation on Azure Service Principal:

    • It identifies potential privilege escalation activities by monitoring the addition of service principal credentials, especially for critical identities.
  6. Detect Azure API Spray Attacks:

    • It detects potential API spray attacks by identifying failed API requests from the same IP address that exceed a certain threshold within a day.
  7. Detect Azure API Secrets Extraction:

    • It monitors for operations that involve listing secrets in Azure API Management, which could indicate unauthorized access to sensitive information.
  8. Detect Azure VM DNS Threat:

    • It checks DNS events against threat intelligence indicators to identify potential threats with a high confidence score.
  9. MITRE ATT&CK Mapping:

    • The query maps detected activities to specific MITRE ATT&CK techniques, providing a framework for understanding the tactics and techniques used by attackers.

Overall, this query is designed to enhance security monitoring by detecting suspicious activities and potential threats across various Azure services, helping organizations to respond promptly to security incidents.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

AzureActivity ExposureGraphEdges ExposureGraphNodes CloudAppEvents ApiManagementGatewayLogs CloudAuditEvents DnsEvents ThreatIntelligenceIndicator

Keywords

AzureActivityExposureGraphEdgesExposureGraphNodesCloudAppEventsApiManagementGatewayLogsCloudAuditEventsDnsEventsThreatIntelligenceIndicator

Operators

startswithextendtostringparse_jsonisnotemptyprojectorsplitjoinset_has_elementisnotnulldistincthas_anyletsummarizecountsortagocontains===~><and

Actions

GitHub