Cloud Service Discovery

// Detection 1: Azure Resource Manager bulk enumeration
let EnumerationWindow = 10m;
let ListOperationThreshold = 20;
AzureActivity
| where TimeGenerated > ago(1h)
| where ActivityStatusValue =~ "Success"
| where OperationNameValue has_any ("list", "List", "LIST") 
    or OperationNameValue has_any ("/read", "/get", "/Get")
| where CategoryValue !in ("Policy", "Alert", "Autoscale")
| summarize
    OperationCount = count(),
    DistinctOperations = dcount(OperationNameValue),
    DistinctResourceTypes = dcount(tostring(split(ResourceId, "/")[3])),
    DistinctSubscriptions = dcount(SubscriptionId),
    OperationList = make_set(OperationNameValue, 30),
    ResourceList = make_set(ResourceId, 30)
    by Caller, CallerIpAddress, bin(TimeGenerated, EnumerationWindow)
| where OperationCount >= ListOperationThreshold or DistinctResourceTypes >= 8
| extend RiskScore = case(
    DistinctResourceTypes >= 15, "Critical",
    DistinctResourceTypes >= 8, "High",
    OperationCount >= 50, "High",
    "Medium"
)
| project TimeGenerated, Caller, CallerIpAddress, OperationCount, DistinctOperations, DistinctResourceTypes, DistinctSubscriptions, RiskScore, OperationList, ResourceList
| sort by DistinctResourceTypes desc, OperationCount desc
// ---
// Detection 2: Microsoft Graph API service enumeration (via AuditLogs)
// Run separately
// AuditLogs
// | where TimeGenerated > ago(1h)
// | where Category in ("Core Directory", "Application Management", "Policy")
// | where OperationName has_any (
//     "Get servicePrincipal", "List servicePrincipals",
//     "Get application", "List applications",
//     "Get policy", "List policies",
//     "Get organization", "Get domain",
//     "Get directoryRole", "List directoryRoles",
//     "List roleAssignments", "List groupMembers"
// )
// | extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
// | extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
// | extend SourceIP = tostring(InitiatedBy.user.ipAddress)
// | summarize
//     EnumOperations = count(),
//     DistinctOps = dcount(OperationName),
//     OperationSet = make_set(OperationName, 20)
//     by InitiatedByUser, InitiatedByApp, SourceIP, bin(TimeGenerated, 10m)
// | where EnumOperations >= 10 or DistinctOps >= 5
// | sort by EnumOperations desc

index=azure sourcetype="azure:activity" status=Succeeded
| where (lower(operationName) LIKE "%list%" OR lower(operationName) LIKE "%/read" OR lower(operationName) LIKE "%/get%")
| eval resource_type=mvindex(split(resourceId, "/"), 3)
| eval time_bucket=strftime(round(_time/600)*600, "%Y-%m-%dT%H:%M:%SZ")
| stats
    count as operation_count,
    dc(operationName) as distinct_ops,
    dc(resource_type) as distinct_resource_types,
    dc(subscriptionId) as distinct_subscriptions,
    values(operationName) as operations,
    values(resource_type) as resource_types
    by caller, callerIpAddress, time_bucket
| where operation_count >= 20 OR distinct_resource_types >= 8
| eval risk_score=case(
    distinct_resource_types >= 15, "Critical",
    distinct_resource_types >= 8, "High",
    operation_count >= 50, "High",
    1=1, "Medium"
)
| eval enumeration_breadth=distinct_resource_types . " resource types, " . operation_count . " operations"
| table time_bucket, caller, callerIpAddress, operation_count, distinct_ops, distinct_resource_types, distinct_subscriptions, risk_score, enumeration_breadth, operations, resource_types
| sort - distinct_resource_types, - operation_count

| append [
    search index=azure sourcetype="azure:aad:audit" category IN ("Core Directory", "ApplicationManagement", "Policy")
        (operationName="Get servicePrincipal" OR operationName="List servicePrincipals"
         OR operationName="Get application" OR operationName="List applications"
         OR operationName="Get policy" OR operationName="List policies"
         OR operationName="Get organization" OR operationName="Get directoryRole"
         OR operationName="List directoryRoles" OR operationName="List roleAssignments")
    | eval initiator=coalesce('initiatedBy.user.userPrincipalName', 'initiatedBy.app.displayName', "unknown")
    | eval src_ip=coalesce('initiatedBy.user.ipAddress', "unknown")
    | eval time_bucket=strftime(round(_time/600)*600, "%Y-%m-%dT%H:%M:%SZ")
    | stats count as graph_enum_count, dc(operationName) as distinct_graph_ops, values(operationName) as graph_operations
        by initiator, src_ip, time_bucket
    | where graph_enum_count >= 8 OR distinct_graph_ops >= 5
    | eval risk_score=case(distinct_graph_ops >= 8, "High", 1=1, "Medium")
    | rename initiator as caller, src_ip as callerIpAddress
    | eval operation_count=graph_enum_count, distinct_ops=distinct_graph_ops, distinct_resource_types=null(), distinct_subscriptions=null()
    | eval enumeration_breadth=distinct_graph_ops . " Graph API operations"
    | table time_bucket, caller, callerIpAddress, operation_count, distinct_ops, risk_score, enumeration_breadth, graph_operations
]

sequence by source.user.name, source.ip with maxspan=10m
  [any where event.dataset == "azure.activitylogs" and
   event.outcome == "success" and
   (event.action : ("*/list*","*/read","*/get*") and
    not event.category : ("Policy","Alert","Autoscale"))]
  with runs=20

SELECT DATEFORMAT(FLOOR(devicetime/600000)*600000, 'yyyy-MM-dd HH:mm:ss') as TimeBucket,
  "caller" as Caller, "callerIpAddress" as CallerIP,
  COUNT(*) as OperationCount,
  COUNT(DISTINCT "operationName") as DistinctOps,
  CASE WHEN COUNT(DISTINCT "resourceType") >= 15 THEN 'Critical'
       WHEN COUNT(DISTINCT "resourceType") >= 8 THEN 'High'
       WHEN COUNT(*) >= 50 THEN 'High'
       ELSE 'Medium' END as RiskScore
FROM events
WHERE category = 'azure_activity'
  AND "status" = 'Succeeded'
  AND (LOWER("operationName") LIKE '%list%' OR LOWER("operationName") LIKE '%/read'
       OR LOWER("operationName") LIKE '%/get%')
GROUP BY FLOOR(devicetime/600000), "caller", "callerIpAddress"
HAVING COUNT(*) >= 20 OR COUNT(DISTINCT "resourceType") >= 8
ORDER BY OperationCount DESC

_sourceCategory=azure/activity
| json auto
| where status == "Succeeded"
| where toLower(operationName) matches "(.*list.*|.*/read|.*/get.*)"
| where !category in ("Policy","Alert","Autoscale")
| timeslice 10m
| stats count as OperationCount, dcount(operationName) as DistinctOps,
        dcount(resourceType) as DistinctResourceTypes, values(operationName) as Operations
        by caller, callerIpAddress, _timeslice
| where OperationCount >= 20 OR DistinctResourceTypes >= 8
| eval RiskScore = if(DistinctResourceTypes >= 15, "Critical",
    if(DistinctResourceTypes >= 8, "High",
    if(OperationCount >= 50, "High", "Medium")))
| sort by DistinctResourceTypes desc, OperationCount desc

rule cloud_service_enumeration {
  meta:
    author = "Detection Engineering"
    description = "Detects bulk cloud service discovery activity (T1526)"
    severity = "MEDIUM"
    tactic = "TA0007"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_name = "Azure Activity"
    $e.metadata.event_outcome = "ALLOW"
    re.regex($e.metadata.product_event_type, `(?i)(list|/read|/get)`) nocase
    $user = $e.principal.user.userid
    $ip = $e.principal.ip

  match:
    $user, $ip over 10m

  outcome:
    $op_count = count_distinct($e.metadata.product_event_type)

  condition:
    $op_count >= 8
}

#event_simpleName = "CloudApiCall"
| CloudApiAction = /(List|Get|Describe|Enumerate)/i
| stats count() as OperationCount, dc(CloudApiService) as DistinctServices, values(CloudApiAction) as Actions
        by UserName, RemoteAddressIP4, span(timestamp, 10m)
| where OperationCount >= 20 OR DistinctServices >= 8
| eval RiskScore = if(DistinctServices >= 15, "Critical", if(DistinctServices >= 8 OR OperationCount >= 50, "High", "Medium"))
| table timestamp, UserName, RemoteAddressIP4, OperationCount, DistinctServices, RiskScore, Actions
| sort by DistinctServices desc