Detect Custom Script or Run Command deployment by risky user
Detect Azure Script Or Run Command By Risky User
Query
AzureActivity
| where TimeGenerated > ago(1h)
| where CategoryValue == "Administrative"
| where OperationNameValue =~ "Microsoft.Compute/virtualMachines/runCommand/action"
or OperationNameValue =~ "MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE"
| extend VMName = tostring(todynamic(Properties).resource)
| summarize make_list(ActivityStatusValue), TimeGenerated = max(TimeGenerated) by CorrelationId, CallerIpAddress, Caller, ResourceGroup, VMName
| join kind=inner (AADUserRiskEvents | where TimeGenerated > ago(14d) ) on $left.Caller == $right.UserPrincipalNameAbout this query
Explanation
This query is designed to identify potentially risky activities involving the deployment of custom scripts or run commands on Azure or Azure Arc virtual machines by users flagged as risky in Entra ID Identity Protection. Here's a simple breakdown of what the query does:
-
Data Source: It starts by looking at the
AzureActivitytable, which logs activities related to Azure resources. -
Time Frame: The query focuses on activities that occurred in the last hour (
TimeGenerated > ago(1h)). -
Activity Type: It filters for activities categorized as "Administrative" and specifically looks for operations related to running commands or writing extensions on virtual machines (
OperationNameValue). -
Extracting Information: It extracts the virtual machine name from the activity properties and summarizes the activities by correlation ID, IP address of the caller, the caller's identity, resource group, and virtual machine name.
-
Risky Users: The query then joins this information with the
AADUserRiskEventstable to find users who have been flagged for risk events in the last 14 days (TimeGenerated > ago(14d)). -
Purpose: The goal is to detect if a user with a history of risky behavior is deploying scripts or commands on virtual machines, which could indicate a compromised account attempting lateral movement within the cloud environment.
This detection rule helps mitigate the risk of unauthorized or malicious activities by identifying potentially compromised cloud admin accounts engaging in suspicious actions.
Details

Robbe Van den Daele
Released: October 22, 2025
Tables
Keywords
Operators