Azure · v-atulyadav · Oct 31, 2023 · Oct 4, 2023 · Oct 5, 2023 · Oct 5, 2023
@@ -0,0 +1,34 @@
+{"Name":"GCPAuditLogs","Properties":[
+    {"Name": "AuthenticationInfo", "Type": "dynamic"},
+    {"Name": "AuthorizationInfo", "Type": "dynamic"},
+    {"Name": "GCPResourceName", "Type": "string"},
+    {"Name": "GCPResourceType", "Type": "string"},
+    {"Name": "InsertId", "Type": "string"},
+    {"Name": "LogName", "Type": "string"},
+    {"Name": "Metadata", "Type": "dynamic"},
+    {"Name": "MethodName", "Type": "string"},
+    {"Name": "NumResponseItems", "Type": "string"},
+    {"Name": "PrincipalEmail", "Type": "string"},
+    {"Name": "ProjectId", "Type": "string"},
+    {"Name": "Request", "Type": "dynamic"},
+    {"Name": "RequestMetadata", "Type": "dynamic"},
+    {"Name": "ResourceLocation", "Type": "dynamic"},
+    {"Name": "ResourceOriginalState", "Type": "dynamic"},
+    {"Name": "Response", "Type": "dynamic"},
+    {"Name": "ServiceData", "Type": "dynamic"},
+    {"Name": "ServiceName", "Type": "string"},
+    {"Name": "Severity", "Type": "string"},
+    {"Name": "SourceSystem", "Type": "string"},
+    {"Name": "Status", "Type": "dynamic"},
+    {"Name": "StatusMessage", "Type": "string"},
+    {"Name": "Subscription", "Type": "string"},
+    {"Name": "TenantId", "Type": "string"},
+    {"Name": "TimeGenerated", "Type": "datetime"},
+    {"Name": "Timestamp", "Type": "datetime"},
+    {"Name": "Type", "Type": "string"},
+    {"Name": "WorkspaceId", "Type": "string"},
+    {"Name": "WorkspaceRegion", "Type": "string"},
+    {"Name": "WorkspaceResourceGroup", "Type": "string"},
+    {"Name": "WorkspaceSubscriptionId", "Type": "string"},
+    {"Name": "WorkspaceTenantId", "Type": "string"}
+]}
@@ -211,5 +211,6 @@
   "TrendMicroApexOneAma",
   "PaloAltoNetworksAma",
   "PaloAltoCDLAma",
-  "CiscoSEGAma"
+  "CiscoSEGAma",
+  "GCPAuditLogsDefinition"
 ]
@@ -0,0 +1,179 @@
+id: 5c847e47-0a07-4c01-ab99-5817ad6cb11e
+name: Cross-Cloud Suspicious Compute resource creation in GCP
+description: |
+  '
+  This detection  identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.
+  '
+severity: Low
+requiredDataConnectors:
+  - connectorId: GCPAuditLogsDefinition
+    dataTypes:
+      - GCPAuditLogs
+  - connectorId: AWSS3
+    dataTypes:
+      - AWSGuardDuty
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+  - Execution
+  - Persistence
+  - PrivilegeEscalation
+  - CredentialAccess
+  - Discovery
+  - LateralMovement
+relevantTechniques:
+  - T1566
+  - T1059
+  - T1078
+  - T1547
+  - T1548
+  - T1069
+  - T1552
+query: |
+  // Materialize AWS GuardDuty findings
+  let AwsAlert = materialize (
+      AWSGuardDuty
+      // Filter for specific activity types in AWS GuardDuty
+      | where ActivityType has_any (
+          "Backdoor:EC2/DenialOfService.UnusualProtocol",
+          "CredentialAccess:Kubernetes/MaliciousIPCaller",
+          "CredentialAccess:Kubernetes/SuccessfulAnonymousAccess",
+          "CredentialAccess:Kubernetes/TorIPCaller",
+          "CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce",
+          "CredentialAccess:RDS/TorIPCaller.FailedLogin",
+          "CredentialAccess:RDS/TorIPCaller.SuccessfulLogin",
+          "Discovery:Kubernetes/MaliciousIPCaller",
+          "Recon:IAMUser/MaliciousIPCaller.Custom",
+          "UnauthorizedAccess:EC2/TorClient",
+          "UnauthorizedAccess:IAMUser/TorIPCaller",
+          "UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom",
+          "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS",
+          "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS",
+          "UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B"
+          )
+      // Extract and transform AWS GuardDuty attributes
+      | extend
+          AWSAlertId = Id, 
+          AWSAlertTitle = Title,
+          AWSAlertDescription = Description,
+          AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),
+          AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),
+          AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),
+          InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),
+          AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,
+          AWSAlertTime = TimeCreated,
+          AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=', Id)),
+          Severity = 
+          case (
+      Severity >= 7.0,
+      "High",
+      Severity between (4.0 .. 6.9),
+      "Medium",
+      Severity between (1.0 .. 3.9),
+      "Low",
+      "Unknown"
+  )
+      // Extract API call details and count
+      | mv-apply AIPCall = AWSTargetingService on 
+          ( 
+          where AIPCall has "name"    
+          | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall["count"])
+          ) 
+      // Select distinct attributes for further analysis
+      | distinct
+          AWSAlertTime,
+          ActivityType,
+          Severity,
+          AWSAlertId,
+          AWSAlertTitle,
+          AWSAlertDescription,
+          AWSAlertLink,
+          Arn,
+          AWSresourceType,
+          AWSNetworkEntity,
+          AWSAlertUserNameEntity,
+          InstanceType,
+          APICallName,
+          APICallCount      
+      );
+  // Materialize GCP Audit Logs related to VM instance creation
+  let GCPVMActivity= materialize(
+      GCPAuditLogs 
+      // Filter for Compute Engine instances insertions
+      | where ServiceName == "compute.googleapis.com" and MethodName endswith "instances.insert"
+      // Extract and transform relevant GCP Audit Log attributes
+      | extend
+          GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),
+          GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
+          GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),
+          VMDetails= parse_json(AuthorizationInfo),
+          VMStatus =  tostring(parse_json(Response).status),
+          VMOperation=tostring(parse_json(Response).operationType),
+          VMName= tostring(parse_json(Request).name),
+          VMDescription= tostring(parse_json(Request).description),
+          VMType = tostring(split(parse_json(Request).machineType, "/")[-1]),
+          Tags= tostring(parse_json(Request).tags),
+          RequestJS = parse_json(Request)
+      // Filter out service account-related activities and private IP addresses
+      | where GCPUserUPN !has "gserviceaccount.com"
+      | extend Name = tostring(split(GCPUserUPN, "@")[0]), UPNSuffix = tostring(split(GCPUserUPN, "@")[1])
+      | where VMOperation == "insert" and isnotempty(GCPUserIp) and GCPUserIp != "private"
+      // Select relevant attributes for further analysis
+      | project
+          GCPOperationTime=TimeGenerated,
+          VMName,
+          VMStatus,
+          MethodName,
+          GCPUserUPN,
+          ProjectId,
+          GCPUserIp,
+          GCPUserUA,
+          VMOperation,
+          VMType,
+          Name,
+          UPNSuffix
+      );
+  // Join AWS and GCP activities based on matching IP addresses
+  AwsAlert
+  | join kind= inner (GCPVMActivity)
+      on
+      $left.AWSNetworkEntity == $right.GCPUserIp
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: GCPUserIp
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: Name
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
+customDetails:
+  AWSAlertUserName: AWSAlertUserNameEntity
+  AWSArn: Arn
+  AWSresourceType: AWSresourceType
+  AWSInstanceType: InstanceType
+  AWSAPICallName: APICallName
+  AWSAPICallCount: APICallCount
+  GCPUserAgent: GCPUserUA
+  GCPVMName: VMName
+  GCPProjectId: ProjectId
+  GCPVMType: VMType
+  CorrelationWith: "GCPAuditLogs"
+alertDetailsOverride:
+  alertDisplayNameFormat: "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}"
+  alertDescriptionFormat: " This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' assocated with GCP compute activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.  \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html"
+  alertSeverityColumnName: Severity
+  alertDynamicProperties:
+    - alertProperty: AlertLink
+      value: AWSAlertLink
+    - alertProperty: ProviderName
+      value: "AWS"
+    - alertProperty: ProductComponentName
+      value: "AWSGuarduty"
+kind: Scheduled
+version: 1.0.0
@@ -0,0 +1,151 @@
+id: 58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7
+name: Cross-Cloud Suspicious user activity observed in GCP Envourment
+description: |
+  '
+  This detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This correlation facilitates the identification of potential cross-cloud security incidents. By summarizing these findings, the query provides valuable insights into cross-cloud identity threats and their associated details, enabling organizations to respond promptly and mitigate potential risks effectively.
+  '
+severity: Medium
+requiredDataConnectors:
+  - connectorId: GCPAuditLogsDefinition
+    dataTypes:
+      - GCPAuditLogs
+  - connectorId: AzureActiveDirectoryIdentityProtection
+    dataTypes:
+      - SecurityAlert (IPC)
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - SecurityAlert
+  - connectorId: MicrosoftDefenderAdvancedThreatProtection
+    dataTypes:
+      - SecurityAlert (MDATP)
+  - connectorId: MicrosoftCloudAppSecurity
+    dataTypes:
+      - SecurityAlert
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+  - Execution
+  - Persistence
+  - PrivilegeEscalation
+  - CredentialAccess
+  - Discovery
+relevantTechniques:
+  - T1566
+  - T1059
+  - T1078
+  - T1046
+  - T1547
+  - T1548
+  - T1069
+  - T1552
+query: |
+  // Filter GCP Audit Logs to exclude service accounts
+  GCPAuditLogs 
+  | where PrincipalEmail !endswith "gserviceaccount.com"
+  // Exclude system-related authentication information
+  | where AuthenticationInfo !has ("system:")
+  // Extract GCP request name and relevant attributes
+  | extend GCPRequestName= parse_json(Request).name
+  | extend
+      GCPAccoutType= tostring(split(GCPRequestName, "/")[2]),
+      GCPUserIdentity = iff(isempty(tostring(split(GCPRequestName, "/")[3])), tostring(parse_json(AuthenticationInfo).principalEmail), "na"), 
+      GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),
+      GCPCallerUA = tostring(parse_json(RequestMetadata).callerSuppliedUserAgent)
+  // Filter out empty or service account identities
+  | where isnotempty(GCPUserIdentity) and GCPUserIdentity !endswith "gserviceaccount.com"
+  // Select relevant attributes for further analysis
+  | project
+      PrincipalEmail,
+      GCPUserIdentity,
+      GCPAccoutType,
+      GCPRequestName,
+      GCPCallerUA,
+      Request,
+      RequestMetadata,
+      GCPUserIp,
+      MethodName,
+      ServiceName,
+      GCPEventTime= TimeGenerated,
+      ProjectId
+  // Join GCP Audit Logs with SecurityAlert data based on user identity and IP
+  | join kind=inner (    
+      SecurityAlert 
+      // Exclude alerts from Azure Sentinel
+      | where ProductName !in ("Azure Sentinel")
+      // Extract IP entities from alert data
+      | extend AlertIPEntity=  tostring(extract(@"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", 0, Entities))
+      | extend
+          AlertUserUPN = tostring(extract(@'\b[\w\.\-]+@[\w\.\-]+\b', 0, Entities)),
+          AlertTime= TimeGenerated
+      // Filter out empty user identities and IP entities
+      | where isnotempty(AlertIPEntity) and isnotempty(AlertUserUPN)
+      )
+      on $left.GCPUserIdentity == $right.AlertUserUPN and $left.GCPUserIp == $right.AlertIPEntity
+  // Summarize the data, calculating time differences and aggregating attributes
+  | summarize
+      FirstAlert=min(AlertTime),
+      LastAlert=max(AlertTime),
+      TimeDiff=datetime_diff('minute', min(AlertTime), min(GCPEventTime)),
+      MethodName=make_set(MethodName),
+      ServiceName= make_set(ServiceName),
+      GCPProjctId=make_set(ProjectId),
+      Request=make_set(Request),
+      GCPCallerUA=make_set(GCPCallerUA)
+      by
+      AlertUserUPN,
+      AlertIPEntity,
+      GCPUserIp,
+      GCPUserIdentity,
+      AlertSeverity,
+      AlertName,
+      AlertLink,
+      Description,
+      Tactics,
+      ProductName,
+      SystemAlertId,
+      GCPAccoutType
+  // Extend the data with additional attributes
+  | extend
+      Name = tostring(split(GCPUserIdentity, "@")[0]),
+      UPNSuffix = tostring(split(GCPUserIdentity, "@")[1])
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: GCPUserIp
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: Name
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
+customDetails:
+  AlertName: AlertName
+  FirstAlert: FirstAlert
+  LastAlert: LastAlert
+  TimeDiff: TimeDiff
+  MethodName: MethodName
+  GCPProjctId: GCPProjctId
+  GCPCallerUA: GCPCallerUA
+  ServiceName: ServiceName
+  AlertUserUPN: AlertUserUPN
+  SystemAlertId: SystemAlertId
+  Tactics: Tactics
+  Request: Request
+  CorrelationWith: "GCPAuditLogs"
+alertDetailsOverride:
+  alertDisplayNameFormat: "A user {{GCPUserUPN}} has been linked to {{AlertName}}, and has potentially suspicious behavior within the GCP environment from, originating from the IP address {{GCPUserIp}}."
+  alertDescriptionFormat: " This detection compiles and correlates unauthorized user access alerts originating from {{ProductName}} With Alert Description '{{Description}}' observed activity in GCP environmeny. It focuses on Microsoft Security, specifically targeting user bhaviour and network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint users suspicious activity to access both Azure and GCP resources.  \n\n Microsoft Security ALert Link : '{{AlertLink}}'"
+  alertSeverityColumnName: AlertSeverity
+  alertDynamicProperties:
+    - alertProperty: AlertLink
+      value: AlertLink
+    - alertProperty: ProviderName
+      value: "ProductName"
+    - alertProperty: ProductComponentName
+      value: "Microsoft Security"
+kind: Scheduled
+version: 1.0.0