User ran a command on Azure Compute

Set up the azure integration.

Goal

Detect when a user runs a command on an Azure Virtual Machine through the Azure CLI or Portal.

Strategy

Monitor Azure Compute logs for MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION events that have @evt.outcome of Success.

Triage and response

Reach out to the user to determine if the activity is legitimate.