Detection rules › Kusto
Threat Essentials - Mass Cloud resource deletions Time Series Anomaly
'This query generates baseline pattern of cloud resource deletions by an user and generated anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of cloud infrastructure take-down by an adversary '
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1485 Data Destruction |
Rule body kusto
id: fa2658fe-3714-4c55-bb12-2b7275c628e8
name: Threat Essentials - Mass Cloud resource deletions Time Series Anomaly
description: |
'This query generates baseline pattern of cloud resource deletions by an user and generated anomaly when any unusual spike is detected.
These anomalies from unusual or privileged users could be an indication of cloud infrastructure take-down by an adversary '
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T1485
tags:
- DEV-0537
query: |
let starttime = 14d;
let endtime = 1d;
let timeframe = 1h;
let TotalEventsThreshold = 25;
let TimeSeriesData =
AzureActivity
| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
| where OperationNameValue endswith "delete"
| project TimeGenerated, Caller
| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller;
let TimeSeriesAlerts = materialize(TimeSeriesData
| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, 'linefit')
| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)
| where anomalies > 0
| project Caller, TimeGenerated, Total, baseline, anomalies, score
| where Total > TotalEventsThreshold and baseline > 0 );
TimeSeriesAlerts
| where TimeGenerated > (ago(endtime))
| project TimeGenerated, Caller
| join kind = inner (AzureActivity
| where TimeGenerated > (ago(endtime))
| where OperationNameValue endswith "delete"
| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller
| extend Name = iif(Caller has '@',tostring(split(Caller,'@',0)[0]),"")
| extend UPNSuffix = iif(Caller has '@',tostring(split(Caller,'@',1)[0]),"")
| extend AadUserId = iif(Caller !has '@',Caller,"")
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: AadUserId
columnName: AadUserId
version: 1.0.2
kind: Scheduled
Stages and Predicates
Parameters
let starttime = 14d;
let endtime = 1d;
let timeframe = 1h;
let TotalEventsThreshold = 25;
The stages below define let TimeSeriesAlerts (the rule's main pipeline source).
Stage 1: source
TimeSeriesData
Stage 2: extend
extend anomalies, baseline, score
Stage 3: mv-expand
mv-expand Total
Stage 4: where
where anomalies > 0
Stage 5: project
project Caller, TimeGenerated, Total, anomalies, baseline, score
Stage 6: where
where Total > 25 and baseline > 0
Stage 7: where
where ...
Stage 8: project
project Caller, TimeGenerated
Stage 9: join
join kind=inner (...)
Stage 10: extend (3 consecutive steps)
extend Name
Stage 11: summarize
summarize by Caller
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
OperationNameValue | ends_with |
|
Total | gt |
|
anomalies | gt |
|
baseline | gt |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
Caller | summarize |