Azure · v-sudkharat · Oct 30, 2023 · Oct 30, 2023 · Oct 31, 2023 · Oct 31, 2023
@@ -20,15 +20,15 @@ tactics:
 relevantTechniques:
   - T1578
 query: |
-  let tokens = dynamic(["416","208","192","128","120","96","80","72","64","48","44","40","g5","gs5","g4","gs4","nc12","nc24","nv24"]);
+  let tokens = dynamic(["416","208","192","128","120","96","80","72","64","48","44","40","nc12","nc24","nv24"]);
   let operationList = dynamic(["microsoft.compute/virtualmachines/write", "microsoft.resources/deployments/write"]);
   AzureActivity
   | where OperationNameValue in~ (operationList)
   | where ActivityStatusValue startswith "Accept"
   | where Properties has 'vmSize'
   | extend parsed_property= parse_json(tostring((parse_json(Properties).responseBody))).properties
   | extend vmSize = tostring((parsed_property.hardwareProfile).vmSize)
-  | where vmSize has_any (tokens)
+  | mv-apply token=tokens to typeof(string) on (where vmSize contains token)
   | extend ComputerName = tostring((parsed_property.osProfile).computerName)
   | project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize
   | extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])
@@ -39,9 +39,13 @@ entityMappings:
         columnName: Name
       - identifier: UPNSuffix
         columnName: UPNSuffix
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: ComputerName      
   - entityType: IP
     fieldMappings:
       - identifier: Address
         columnName: CallerIpAddress
-version: 2.0.1
+version: 2.0.2
 kind: Scheduled
@@ -16,15 +16,15 @@ tactics:
 relevantTechniques:
   - T1578
 query: |
-  let tokens = dynamic(["416","208","192","128","120","96","80","72","64","48","44","40","g5","gs5","g4","gs4","nc12","nc24","nv24"]);
+  let tokens = dynamic(["416","208","192","128","120","96","80","72","64","48","44","40","nc12","nc24","nv24"]);
   let operationList = dynamic(["microsoft.compute/virtualmachines/write", "microsoft.resources/deployments/write"]);
   AzureActivity
   | where OperationNameValue in~ (operationList)
   | where ActivityStatusValue startswith "Accept"
   | where Properties has 'vmSize'
   | extend parsed_property= parse_json(tostring((parse_json(Properties).responseBody))).properties
   | extend vmSize = tostring((parsed_property.hardwareProfile).vmSize)
-  | where vmSize has_any (tokens)
+  | mv-apply token=tokens to typeof(string) on (where vmSize contains token)
   | extend ComputerName = tostring((parsed_property.osProfile).computerName)
   | project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize
   | extend Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])
@@ -35,9 +35,13 @@ entityMappings:
         columnName: Name
       - identifier: UPNSuffix
         columnName: UPNSuffix
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: ComputerName    
   - entityType: IP
     fieldMappings:
       - identifier: Address
         columnName: CallerIpAddress
-version: 2.0.1
+version: 2.0.2
 kind: NRT
@@ -40,7 +40,7 @@
 	  "Workbooks/AzureActivity.json"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\solutions\\Azure Activity",
-  "Version": "2.0.6",
+  "Version": "3.0.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": true

@@ -0,0 +1,33 @@
+{
+  "Name": "Azure Activity",
+  "Author": "Microsoft - support@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/azureactivity_logo.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The [Azure Activity](https://docs.microsoft.com/azure/azure-monitor/essentials/activity-log) solution for Microsoft Sentinel enables you to ingest Azure Activity Administrative, Security, Service Health, Alert, Recommendation, Policy, Autoscale and Resource Health [logs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) using Diagnostic Settings into Microsoft Sentinel.",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\solutions\\Azure Activity",
+  "Version": "3.0.0",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1PConnector": true,
+  "publisherId": "azuresentinel",
+  "offerId": "azure-sentinel-solution-azureactivity",
+  "providers": [
+    "Microsoft"
+  ],
+  "categories": {
+    "domains": [
+      "IT Operations"
+    ],
+    "verticals": []
+  },
+  "firstPublishDate": "2022-04-18",
+  "support": {
+    "tier": "Microsoft",
+    "name": "Microsoft Corporation",
+    "email": "support@microsoft.com",
+    "link": "https://support.microsoft.com/"
+  },
+  "Data Connectors": "[\n  \"Data Connectors/AzureActivity.json\"\n]",
+  "Workbooks": "[\n  \"Workbooks/AzureActivity.json\"\n]",
+  "Analytic Rules": "[\n  \"AADHybridHealthADFSNewServer.yaml\",\n  \"AADHybridHealthADFSServiceDelete.yaml\",\n  \"AADHybridHealthADFSSuspApp.yaml\",\n  \"Creating_Anomalous_Number_Of_Resources_detection.yaml\",\n  \"Creation_of_Expensive_Computes_in_Azure.yaml\",\n  \"Granting_Permissions_To_Account_detection.yaml\",\n  \"NRT-AADHybridHealthADFSNewServer.yaml\",\n  \"NRT_Creation_of_Expensive_Computes_in_Azure.yaml\",\n  \"New-CloudShell-User.yaml\",\n  \"NewResourceGroupsDeployedTo.yaml\",\n  \"RareOperations.yaml\",\n  \"TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml\"\n]",
+  "Hunting Queries": "[\n  \"AnalyticsRulesAdministrativeOperations.yaml\",\n  \"AnomalousAzureOperationModel.yaml\",\n  \"Anomalous_Listing_Of_Storage_Keys.yaml\",\n  \"AzureAdministrationFromVPS.yaml\",\n  \"AzureNSG_AdministrativeOperations.yaml\",\n  \"AzureRunCommandFromAzureIP.yaml\",\n  \"AzureSentinelConnectors_AdministrativeOperations.yaml\",\n  \"AzureSentinelWorkbooks_AdministrativeOperation.yaml\",\n  \"AzureVirtualNetworkSubnets_AdministrativeOperationset.yaml\",\n  \"Common_Deployed_Resources.yaml\",\n  \"Creating_Anomalous_Number_Of_Resources.yaml\",\n  \"Granting_Permissions_to_Account.yaml\",\n  \"PortOpenedForAzureResource.yaml\",\n  \"Rare_Custom_Script_Extension.yaml\"\n]"
+}
@@ -1,6 +1,8 @@
 id: 43cb0347-bdcc-4e83-af5a-cebbd03971d8
 name: Anomalous Azure Operation Hunting Model
 description: |
+  'This query identifies Azure Operation anomalies during threat hunts. It detects new callers, IPs, IP ranges, and anomalous operations. Initially set for Run Command operations, it can be configured for other operations and resource types.'
+description_detailed: |
   'This query can be used during threat hunts to identify a range of different Azure Operation anomalies.
   The query is heavily commented inline to explain operation. Anomalies covered are: New Caller, New Caller IP,
   New Caller IP Range, Anomalous operation based on Jaccard index. By default this query is configured to detect

@@ -1,6 +1,8 @@
 id: 5d2399f9-ea5c-4e67-9435-1fba745f3a39
 name: Azure storage key enumeration
 description: |
+  'Azure's storage key listing can expose secrets, PII, and grant VM access. Monitoring for anomalous accounts or IPs is crucial. The query generates IP clusters, correlates activities, and flags unexpected ones. Single-operation users are excluded.'
+description_detailed: |
   'Listing of storage keys is an interesting operation in Azure which might expose additional 
   secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this
   type, it would be interesting to see if the account performing this activity or the source IP address from 

@@ -1,10 +1,12 @@
 id: 0278e3b8-9899-45c5-8928-700cd80d2d80
 name: Common deployed resources
 description: |
+  'This query identifies common deployed resources in Azure, like resource names and groups. It can be used with other suspicious deployment signals to evaluate if a resource is commonly deployed or unique.'
+description_detailed: |
   'This query looks for common deployed resources (resource name and resource groups) and can be used
   in combination with other signals that show suspicious deployment to evaluate if the resource is one
   that is commonly being deployed/created or unique.
-  To understand the basket() function better see - https://docs.microsoft.com/azure/data-explorer/kusto/query/basketplugin' 
+  To understand the basket() function better see - https://docs.microsoft.com/azure/data-explorer/kusto/query/basketplugin'   
 requiredDataConnectors:
   - connectorId: AzureActivity
     dataTypes:

@@ -1,7 +1,7 @@
 id: 9e146876-e303-49af-b847-b029d1a66852
 name: Port opened for an Azure Resource
 description: |
-  'Identifies what ports may have been opened for a given Azure Resource over the last 7 days'
+  'Identifies what ports may have been opened for a given Azure Resource over the last 7 days.'
 requiredDataConnectors:
   - connectorId: AzureActivity
     dataTypes:

@@ -1,7 +1,9 @@
 id: 81fd68a2-9ad6-4a1c-7bd7-18efe5c99081
 name: Rare Custom Script Extension
 description: |
-     'The Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension is useful for post deployment configuration, software installation, or any other configuration or management tasks.
+     'The Custom Script Extension in Azure executes scripts on VMs, useful for post-deployment tasks. Scripts can be from various sources and could be used maliciously. The query identifies rare custom script extensions executed in your environment.'
+description_detailed: |
+      'The Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension is useful for post deployment configuration, software installation, or any other configuration or management tasks.
       Scripts could be downloaded from external links, Azure storage, GitHub, or provided to the Azure portal at extension run time. This could also be used maliciously by an attacker.
       The query tries to identify rare custom script extensions that have been executed in your environment'
 requiredDataConnectors:

@@ -88,7 +88,7 @@
             "name": "workbooks-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The workbooks installed with the Azure Activity solution provide insights into operations on different Azure resources. After installing the solution, start using the workbook in Manage solution view."
+              "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
             }
           },
           {
@@ -358,7 +358,7 @@
                 "name": "huntingquery2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This query can be used during threat hunts to identify a range of different Azure Operation anomalies.\nThe query is heavily commented inline to explain operation. Anomalies covered are: New Caller, New Caller IP,\nNew Caller IP Range, Anomalous operation based on Jaccard index. By default this query is configured to detect\nanomalous Run Command operations. The operation and resource type to perform anomaly detection can be configured \nat the top of the query along with the detection window parameters This hunting query depends on AzureActivity data connector (AzureActivity Parser or Table)"
+                  "text": "This query identifies Azure Operation anomalies during threat hunts. It detects new callers, IPs, IP ranges, and anomalous operations. Initially set for Run Command operations, it can be configured for other operations and resource types. This hunting query depends on AzureActivity data connector (AzureActivity Parser or Table)"
                 }
               }
             ]
@@ -372,7 +372,7 @@
                 "name": "huntingquery3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Listing of storage keys is an interesting operation in Azure which might expose additional \nsecrets and PII to callers as well as granting access to VMs. While there are many benign operations of this\ntype, it would be interesting to see if the account performing this activity or the source IP address from \nwhich it is being done is anomalous. \nThe query below generates known clusters of ip address per caller, notice that users which only had single\noperations do not appear in this list as we cannot learn from it their normal activity (only based on a single\nevent). The activities for listing storage account keys is correlated with this learned \nclusters of expected activities and activity which is not expected is returned. This hunting query depends on AzureActivity data connector (AzureActivity Parser or Table)"
+                  "text": "Azure's storage key listing can expose secrets, PII, and grant VM access. Monitoring for anomalous accounts or IPs is crucial. The query generates IP clusters, correlates activities, and flags unexpected ones. Single-operation users are excluded. This hunting query depends on AzureActivity data connector (AzureActivity Parser or Table)"
                 }
               }
             ]
@@ -470,7 +470,7 @@
                 "name": "huntingquery10-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This query looks for common deployed resources (resource name and resource groups) and can be used\nin combination with other signals that show suspicious deployment to evaluate if the resource is one\nthat is commonly being deployed/created or unique.\nTo understand the basket() function better see - https://docs.microsoft.com/azure/data-explorer/kusto/query/basketplugin This hunting query depends on AzureActivity data connector (AzureActivity Parser or Table)"
+                  "text": "This query identifies common deployed resources in Azure, like resource names and groups. It can be used with other suspicious deployment signals to evaluate if a resource is commonly deployed or unique. This hunting query depends on AzureActivity data connector (AzureActivity Parser or Table)"
                 }
               }
             ]
@@ -512,7 +512,7 @@
                 "name": "huntingquery13-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Identifies what ports may have been opened for a given Azure Resource over the last 7 days This hunting query depends on AzureActivity data connector (AzureActivity Parser or Table)"
+                  "text": "Identifies what ports may have been opened for a given Azure Resource over the last 7 days. This hunting query depends on AzureActivity data connector (AzureActivity Parser or Table)"
                 }
               }
             ]
@@ -526,7 +526,7 @@
                 "name": "huntingquery14-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "The Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension is useful for post deployment configuration, software installation, or any other configuration or management tasks.\n Scripts could be downloaded from external links, Azure storage, GitHub, or provided to the Azure portal at extension run time. This could also be used maliciously by an attacker.\n The query tries to identify rare custom script extensions that have been executed in your environment This hunting query depends on AzureActivity data connector (AzureActivity Parser or Table)"
+                  "text": "The Custom Script Extension in Azure executes scripts on VMs, useful for post-deployment tasks. Scripts can be from various sources and could be used maliciously. The query identifies rare custom script extensions executed in your environment. This hunting query depends on AzureActivity data connector (AzureActivity Parser or Table)"
                 }
               }
             ]