cloudflare/Azure-Sentinel

Public

mirrored fromhttps://github.com/cloudflare/Azure-Sentinel

Watch0 Fork0 Star0

Code Commits Issues Pull requests Actions Insights Security

891566ba25da6149c543e9c127dbf8311dc78311

Find a branch or tag

Branches

891566ba25da6149c543e9c127dbf8311dc78311

Clone

HTTPS

Download ZIP

Azure-Sentinel/Hunting Queries/AzureActivity

Hunting Queries/AzureActivity/Granting_Permissions_to_Account.txt

20lines · modepreview

Raw Download

Update Granting_Permissions_to_Account.txt c9a872b

6 years ago

// Name: Granting permissions to account
//
// Id: 2b6a3882-d601-4298-983b-880f6dc7acdb
//
// Description: shows the most prevalent users who grant access to others on azure resources and for each account 
// their common source ip address. If an operation is not from this IP address it may be worthy of investigation.
//
// DataSource: #AzureActivity
//
// Tactics: #Persistence, #LateralMovement
//
AzureActivity
| where TimeGenerated >= ago(14d)
| where OperationName == "Create role assignment"
| where ActivityStatus == "Succeeded" 
| project EventSubmissionTimestamp, Caller, CallerIpAddress, SubscriptionId, ResourceId 
| project Caller, CallerIpAddress
| extend AccountCustomEntity = Caller
| extend IPCustomEntity = CallerIpAddress
| evaluate basket()

cloudflare/Azure-Sentinel

Branches

Tags

Clone