<  Back to rules search

User ran a command on Azure Compute

azure

Classification:

attack

Tactic:

Set up the azure integration.

Goal

Detect when a user runs a command on an Azure Virtual Machine through the Azure CLI or Portal.

Strategy

Monitor Azure Compute logs for MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION events that have @evt.outcome of Success.

Triage and response

  1. Reach out to the user to determine if the activity is legitimate.