Query Details

Detect Custom Script or Run Command deployment by risky user

Detect Azure Script Or Run Command By Risky User

Query

AzureActivity 
| where TimeGenerated > ago(1h)
| where CategoryValue == "Administrative"
| where OperationNameValue =~ "Microsoft.Compute/virtualMachines/runCommand/action"
    or OperationNameValue =~ "MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE"
| extend VMName = tostring(todynamic(Properties).resource)
| summarize make_list(ActivityStatusValue), TimeGenerated = max(TimeGenerated) by CorrelationId, CallerIpAddress, Caller, ResourceGroup, VMName
| join kind=inner (AADUserRiskEvents | where TimeGenerated > ago(14d) ) on $left.Caller == $right.UserPrincipalName

About this query

Explanation

This query is designed to identify potentially risky activities involving the deployment of custom scripts or run commands on Azure or Azure Arc virtual machines by users flagged as risky in Entra ID Identity Protection. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at the AzureActivity table, which logs activities related to Azure resources.

  2. Time Frame: The query focuses on activities that occurred in the last hour (TimeGenerated > ago(1h)).

  3. Activity Type: It filters for activities categorized as "Administrative" and specifically looks for operations related to running commands or writing extensions on virtual machines (OperationNameValue).

  4. Extracting Information: It extracts the virtual machine name from the activity properties and summarizes the activities by correlation ID, IP address of the caller, the caller's identity, resource group, and virtual machine name.

  5. Risky Users: The query then joins this information with the AADUserRiskEvents table to find users who have been flagged for risk events in the last 14 days (TimeGenerated > ago(14d)).

  6. Purpose: The goal is to detect if a user with a history of risky behavior is deploying scripts or commands on virtual machines, which could indicate a compromised account attempting lateral movement within the cloud environment.

This detection rule helps mitigate the risk of unauthorized or malicious activities by identifying potentially compromised cloud admin accounts engaging in suspicious actions.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: October 22, 2025

Tables

AzureActivityAADUserRiskEvents

Keywords

AzureActivityAdministrativeOperationNameValueVirtualMachinesExtensionsWriteAADUserRiskEventsPrincipalCloudAppApplicationIdActionType

Operators

AzureActivitywhereTimeGeneratedagoCategoryValueOperationNameValue=~orextendtostringtodynamicPropertiessummarizemake_listActivityStatusValuemaxbyCorrelationIdCallerIpAddressCallerResourceGroupVMNamejoinkind=innerAADUserRiskEventson$left==$rightUserPrincipalName

MITRE Techniques

Actions

GitHub