Number Of Resource Creation Or Deployment Activities
Number of VM creations or deployment activities occur in Azure via the azureactivity log.
Sigma rule (View on GitHub)
1title: Number Of Resource Creation Or Deployment Activities
2id: d2d901db-7a75-45a1-bc39-0cbf00812192
3status: test
4description: Number of VM creations or deployment activities occur in Azure via the azureactivity log.
5references:
6 - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
7author: sawwinnnaung
8date: 2020-05-07
9modified: 2023-10-11
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1098
14logsource:
15 product: azure
16 service: activitylogs
17detection:
18 keywords:
19 - Microsoft.Compute/virtualMachines/write
20 - Microsoft.Resources/deployments/write
21 condition: keywords
22falsepositives:
23 - Valid change
24level: medium
References
-
Cloud-native SIEM for intelligent security analytics for your entire enterprise. - Azure/Azure-Sentinel
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys