Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | GitHub Only |
| ID | 1cc0ba27-c5ca-411a-a779-fbc89e26be83 |
| Severity | Medium |
| Kind | Scheduled |
| Tactics | InitialAccess, Execution, Discovery |
| Techniques | T1078, T1106, T1526 |
| Required Connectors | GCPAuditLogsDefinition, AzureActiveDirectoryIdentityProtection, MicrosoftThreatProtection, MicrosoftDefenderAdvancedThreatProtection, MicrosoftCloudAppSecurity, BehaviorAnalytics |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
GCPAuditLogs |
✓ | ✓ | ? |
IdentityInfo |
✓ | ✗ | ? |
SecurityAlert |
✓ | ✗ | ? |
The following connectors provide data for this content item:
Solutions: Google Cloud Platform Audit Logs, IoTOTThreatMonitoringwithDefenderforIoT, Microsoft Defender for Cloud, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Entra ID Protection, MicrosoftDefenderForEndpoint, MicrosoftPurviewInsiderRiskManagement
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊