Suspicious VM Instance Creation Activity Detected

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.

Attribute	Value
Type	Analytic Rule
Solution	GitHub Only
ID	1cc0ba27-c5ca-411a-a779-fbc89e26be83
Severity	Medium
Kind	Scheduled
Tactics	InitialAccess, Execution, Discovery
Techniques	T1078, T1106, T1526
Required Connectors	GCPAuditLogsDefinition, AzureActiveDirectoryIdentityProtection, MicrosoftThreatProtection, MicrosoftDefenderAdvancedThreatProtection, MicrosoftCloudAppSecurity, BehaviorAnalytics
Source	View on GitHub

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules