Query Details
Suspicous ARM Activites
Query
//Suspicious ARM activies let threshold = 3; let newGuestAccounts = ( CloudAppEvents | where Timestamp > ago(7d) | where ActionType == "Add user." | where RawEventData.ResultStatus == "Success" | where RawEventData has "guest" and RawEventData.ObjectId has "#EXT#" | mv-expand Property = RawEventData.ModifiedProperties | where Property.Name == "AccountEnabled" and Property.NewValue has "true" | project newGuestAccountObjectId = tostring(RawEventData.Target[1].ID) | distinct newGuestAccountObjectId); CloudAppEvents | where Timestamp > ago(7d) | where isnotempty(toscalar(newGuestAccounts)) | where Application == "Microsoft Azure" | where ActionType == "Validate Deployments" | where RawEventData contains "createVm" | where AccountObjectId in (newGuestAccounts) | summarize VMCreationCount = count() by AccountObjectId | where VMCreationCount > threshold
Explanation
This query is looking for suspicious activities related to Azure Resource Manager (ARM). It first identifies new guest accounts that have been added in the past 7 days and have been enabled. Then, it filters CloudAppEvents to find events related to Microsoft Azure, specifically those validating deployments and containing the term "createVm". It then checks if the account object IDs of these events match the new guest account object IDs found earlier. Finally, it summarizes the count of VM creations for each account object ID and filters out those with a count greater than the threshold value.
Details
Rod Trent
Released: August 24, 2022
Tables
CloudAppEvents
Keywords
Devices,Intune,User
Operators
|||>==hasandmv-expandprojectdistinctisnotemptytoscalarinsummarizecount()bywhere