[AzureSubscription] Suspicious Azure VM Run Command Execution Detected

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Detects Azure VM Run Command execution correlated with unusual sign-in behavior from UEBA. This can indicate administrative abuse or post-compromise activity.

Attribute	Value
Type	Analytic Rule
Solution	eDCRule
ID	6fa564ac-dfb7-4753-a49b-5fc919866c28
Severity	High
Status	Available
Kind	Scheduled
Tactics	LateralMovement, CredentialAccess
Techniques	T1570, T1212
Required Connectors	AzureActivity
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AzureActivity	Authorization has "virtualMachines" Caller contains "@" OperationNameValue == "MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION"	✗	✗	✗
BehaviorAnalytics	EventSource == "Azure AD"	✓	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules · Back to eDCRule