KQL Search

Query Details

HomeAI ToolsDevice Query

Azure Cloud Security Monitoring

Query

// Azure Cloud Security Monitoring
// https://www.linkedin.com/pulse/azure-cloud-security-monitoring-steven-lim-vf6ac/

// Detect new blob with allowBlobPublicAccess enabled

AzureActivity
| where OperationNameValue startswith "MICROSOFT.STORAGE/STORAGEACCOUNTS/"
| extend allowBlobPublicAccess = tostring(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).properties)).allowBlobPublicAccess)
| where isnotempty(allowBlobPublicAccess)
| where allowBlobPublicAccess == "true"
| extend ResourceName = tostring(parse_json(Properties).resource)
| extend CallerUPN = tostring(parse_json(Properties).caller)
| project SubscriptionId, CallerIpAddress, CallerUPN, ResourceName, allowBlobPublicAccess

// Detect new public IP address creation

AzureActivity
| where OperationNameValue startswith "Microsoft.Network/publicIPAddresses/write"
| where ActivityStatusValue == "Succeeded" 

// Detect NSG creation or deletion

AzureActivity
| where OperationNameValue =~ "Microsoft.Network/networkSecurityGroups/securityRules/delete" or 
OperationNameValue =~ "Microsoft.Network/networkSecurityGroups/securityRules/write"
| where ActivityStatusValue == "Accept"
| extend NsgName = split(_ResourceId, '/')[8], NsgRule = split(_ResourceId, '/')[10]
| project TimeGenerated, NsgName, NsgRule, ResourceGroup, Caller, CallerIpAddress, _ResourceId

// Detect Azure VM password reset (Lateral movement technique)

ExposureGraphEdges
| where EdgeLabel contains "contains"
| where TargetNodeName contains "PasswordReset"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| project SourceNodeName, TargetNodeName, NodeProperties, EntityIds 

// Detect Privilege Escalation on Azure Service Principal

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) 
and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend AccountID = tostring(NodeProperties.rawData.accountObjectId)
| distinct AccountID;
CloudAppEvents
| where ActivityType == "Add"
| where ActionType == @"Add service principal credentials."
| where AccountId has_any(CriticalIdentities)

// Detect Azure API spray attacks

let threshold=5;
ApiManagementGatewayLogs
| where TimeGenerated > ago(1d)
| where IsRequestSuccess == "false"
| summarize Count=count() by CallerIpAddress
| sort by Count desc
| where Count > threshold

// Detect Azure API Secrets Extraction

CloudAuditEvents
| where Timestamp > ago(30d)
| where OperationName == "Microsoft.ApiManagement/service/tenant/listSecrets/action"
| extend SubscriptionID = tostring(RawEventData.subscriptionId)
| extend PrincipalOID = tostring(RawEventData.principalOid)
| extend ApplicationID = tostring(RawEventData.applicationId)
| extend HttpRequest = tostring(RawEventData.httpRequest)
| extend Properties = tostring(RawEventData.properties)
| project Timestamp, OperationName, PrincipalOID, SubscriptionID, ApplicationID, HttpRequest, Properties 

// Detect Azure VM DNS Threat

DnsEvents
| where IPAddresses != ""
| join ThreatIntelligenceIndicator on $left.Name == $right.DomainName
| where ConfidenceScore > 50

Explanation

This query is a comprehensive Azure Cloud Security Monitoring script that performs various security checks and detections. Here's a simplified summary of each section:

  1. Detect new blob with allowBlobPublicAccess enabled:

    • Checks for any new storage accounts where public access to blobs is enabled.

  2. Detect new public IP address creation:

    • Identifies when a new public IP address is successfully created.

  3. Detect NSG (Network Security Group) creation or deletion:

    • Monitors for the creation or deletion of security rules within Network Security Groups.

  4. Detect Azure VM password reset (Lateral movement technique):

    • Looks for password reset activities on Azure Virtual Machines, which could indicate lateral movement by an attacker.

  5. Detect Privilege Escalation on Azure Service Principal:

    • Identifies when credentials are added to service principals associated with critical identities, which could indicate privilege escalation.

  6. Detect Azure API spray attacks:

    • Detects potential API spray attacks by identifying multiple failed API requests from the same IP address within the last day.

  7. Detect Azure API Secrets Extraction:

    • Monitors for operations that list secrets in Azure API Management, which could indicate an attempt to extract sensitive information.

  8. Detect Azure VM DNS Threat:

    • Identifies DNS events from Azure VMs that match known threat intelligence indicators with a high confidence score.

Each section uses specific Azure logs and data sources to identify potential security threats and anomalies in the cloud environment.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

AzureActivity ExposureGraphEdges ExposureGraphNodes CloudAppEvents ApiManagementGatewayLogs CloudAuditEvents DnsEvents ThreatIntelligenceIndicator

Keywords

AzureActivityExposureGraphEdgesExposureGraphNodesCloudAppEventsApiManagementGatewayLogsCloudAuditEventsDnsEventsThreatIntelligenceIndicator

Operators

startswithextendtostringparse_jsonisnotempty==projector=~splitcontainsjoinonletset_has_elementisnotnulldistincthas_anysummarizecountbysortdesc>ago

Actions