- Overview of TDIR for Public Cloud
- Supported Cloud Environments and Log Sources
- Types of Threat Detection Enabled by TDIR for Public Cloud
- Prepare to Use TDIR for Public Cloud
- View Cloud Content Activity
Microsoft Azure – Rules by Use Case
Advanced Analytics versions that support Azure rules:
Legacy Data Structure Versions: not yet supported
Common Information Model Versions: i63.5 (supports all the rules listed in each use case)
Note
All model-based rules have rule names that end with "-F" or "-A". Rules without these rule name endings are fact-based rules.
Use Case | Rule ID – Rule Name |
|---|---|
Abnormal Authentication & Access | Azure-Operation-User-F: First time operation Azure-DistinctOperationCount-User-A: Abnormal amount of distinct operations Azure-Service-User-F: First time cloud service for user Azure-Region-User-F: First time region for user Azure-Region-Org-F: First time region for the organization Azure-UserAgent-Org-F: First time user agent Azure-Country-User-F: First time country for user Azure-Time-User-A: Abnormal time for user activity in Azure |
Privilege Escalation | Azure-UserRoleDefinitionWrite-Org-F: First time role definition modification for user Azure-UserRoleAssign-Org-F: First time role assignment for user Azure-UserClassicAdminSet-Org-F: First time classic admin set Azure-UserKeyvaultWrite-Org-F: First time keyvault object written by user Azure-UserKeyvaultRead-Org-F: First time keyvault object read for user Azure-KeyvaultReadCount-User-A: Abnormal amount of KeyVault read operations |
Cloud Data Protection | Azure-UserComputeSASGeneration-Org-F: First time Azure SAS generation for compute resources Azure-UserSnapshotWrite-Org-F: First time snapshot write operation Azure-UserDiskFromSnapshot-Org-F: First time disk creation from snapshot Azure-UserStorageList-Org-F: First time storage enumeration Azure-StorageListCount-User-A: Abnormal amount of storage blob/container list operations Azure-UserSetContainerAcl-Org-F: First time container ACL modification for user Azure-StorageGetCount-User-A: Abnormal amount of storage blob read operations Azure-BlobCopyCount-Org-A: Abnormal amount of blob copies from the organization Azure-BytesOut-User-A: Abnormal amount of egress data for user Azure-BlobCopyCountTarget-StorageAccount-A: Abnormal amount of blob copies to a storage account B-Azure-UserAgent-StorageAccount-F: First time user agent seen when accessing this storage account B-Azure-StorageGetCount-StorageAccount-A: Abnormal amount of storage blob read operations for storage account B-Azure-BlobCopyCountTarget-StorageAccount-A: Abnormal amount of blob copies to a storage account B-Azure-BytesOut-StorageAccount-A: Abnormal amount of egress data from storage account |
Malware | Azure-UserAutomationWrite-Org-F: First time Azure automation object create/update operation Azure-UserRunCommand-Org-F: First time remote command execution on Azure VM Azure-UserImageWrite-Org-F: First time image write operation Azure-UserBlobUpload-Org-F: First time storage blob upload Azure-UserCriticalBlobUpload-Org-F: First time storage critical blob upload |
Cryptomining | Azure-UserVMWrite-Org-F: First time VM write operation Azure-VMImagePublisher-Org-F: First time VM publisher |