New Azure API Call Invoked by User Accessed Resource for the First Time
This alert occurs when Lacework detects a user has called the API to access a resource for the first time.
Why this Alert is Important
As an Azure admin, you want to ensure that this access to a resource is an authorized operation.
Investigate
Use Azure Log Analytics to look at the trends of processes, accounts, and computers to understand when anomalous or rare processes and accounts are run on computers as this can indicate potentially malicious or unwanted activity. Run the following query against your data and note that what comes up is an anomaly or rare over the last 30 days. This query shows the processes run by computers and account groups over a week to see what is new and compare it to the behavior over the last 30 days. This technique can be applied to any Advanced Azure Log Analytics pane logs.
let T = SecurityEvent
| where TimeGenerated >= ago(30d)
| extend Date = startofday(TimeGenerated)
| extend Process = ProcessName
| where Process != ""
| where Process != "-"
| where Process !contains "\\Windows\\System"
| where Process !contains "\\Program Files\\Microsoft\\"
| where Process !contains "\\Program Files\\Microsoft Monitoring Agent\\"
| where Process !contains "\\ProgramData\\"
| where Process !contains "\\Windows\\WinSxS\\"
| where Process !contains "\\Windows\\SoftwareDistribution\\"
| where Process !contains "\\mpsigstub.exe"
| where Process !contains "\\WindowsAzure\\GuestAgent"
| where Process !contains "\\Windows\\Servicing\\TrustedInstaller.exe"
| where Process !contains "\\Windows\\Microsoft.Net\\"
| where Process !contains "\\Packages\\Plugins\\"
| project Date, Process, Computer, Account
| summarize count() by Date, Process, Computer, Account
| sort by count_ desc nulls last;
T
| evaluate activity_counts_metrics(Process, Date, startofday(ago(30d)), startofday(now()), 1d, Process, Computer, Account)
| extend WeekDate = startofweek(Date)
| project WeekDate, Date, Process, PotentialAnomalyCount = new_dcount, Account, Computer
| join kind= inner
(
T
| evaluate activity_engagement(Process, Date, startofday(ago(30d)), startofday(now()),1d, 7d)
| extend WeekDate = startofweek(Date)
| project WeekDate, Date, Distribution1day = dcount_activities_inner, Distribution7days = dcount_activities_outer, Ratio = activity_ratio*100
)
on WeekDate, Date
| where PotentialAnomalyCount == 1 and Ratio < 100
| project WeekDate, Date, Process, Account, Computer , PotentialAnomalyCount, Distribution1day, Distribution7days, Ratio
| render barchart kind=stacked
After identifying a computer or account you want to investigate, you can dig further into the complete data for that computer by opening a secondary query window and filtering only on the computer or account that looks malicious.
Resolution
After detecting anomalous behavior, Lacework recommends the following resolutions:
- Suspend or revoke the user's access.
- Investigate their activity to identify any unauthorized actions they may have taken. You can review the Azure Activity Logs, diagnostic logs, and other security logs to identify any suspicious activity or anomalies.
- If the malicious user has caused any damage, such as deleting or modifying resources, take steps to contain the damage and restore affected resources from backups if necessary.
- It is recommended to change all passwords associated with the affected user account and enable MFA to prevent unauthorized access to Azure resources.
- To prevent similar incidents from occurring in the future, consider implementing stronger security controls, such as role-based access control (RBAC), network security groups, and Azure Security Center. You can also monitor Azure resources for suspicious activity using Azure Sentinel or other security tools.