Number Of Resource Creation Or Deployment Activities

Aug 12, 2024 · attack.persistence attack.t1098 ·

Number of VM creations or deployment activities occur in Azure via the azureactivity log.

Sigma rule (View on GitHub)

 1title: Number Of Resource Creation Or Deployment Activities
 2id: d2d901db-7a75-45a1-bc39-0cbf00812192
 3status: test
 4description: Number of VM creations or deployment activities occur in Azure via the azureactivity log.
 5references:
 6    - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
 7author: sawwinnnaung
 8date: 2020-05-07
 9modified: 2023-10-11
10tags:
11    - attack.persistence
12    - attack.t1098
13logsource:
14    product: azure
15    service: activitylogs
16detection:
17    keywords:
18        - Microsoft.Compute/virtualMachines/write
19        - Microsoft.Resources/deployments/write
20    condition: keywords
21falsepositives:
22    - Valid change
23level: medium

References

Azure-Sentinel/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml at e534407884b1ec5371efc9f76ead282176c9e8bb · Azure/Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise. - Azure/Azure-Sentinel

Read More

Number Of Resource Creation Or Deployment Activities

Sigma rule (View on GitHub)

References

Azure-Sentinel/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml at e534407884b1ec5371efc9f76ead282176c9e8bb · Azure/Azure-Sentinel

Related rules