Query Details

Detect first time Azure Custom Script or Run Command deployment

Detect First Time Azure Custom Script Or Run Command

Query

BehaviorAnalytics
| where TimeGenerated > ago(1h)
| extend ActivityInsights = parse_json(ActivityInsights)
| where ActivityInsights.EventMessage has_any ('runCommand/action', 'extensions/write')
| where ActivityInsights.FirstTimeUserPerformedAction == "True"

About this query

Explanation

This query is designed to detect when an account is deploying Custom Scripts or Run Commands on Azure or Azure Arc machines for the first time. It uses User and Entity Behavior Analytics (UEBA) from Defender XDR and Microsoft Sentinel to identify such activities. The query checks for events that occurred in the last hour and looks for specific actions related to running commands or writing extensions. If an account is performing these actions for the first time, it may indicate potential misuse or compromise of the account, especially if these actions are not commonly used in the environment. This helps mitigate the risk of unauthorized access or actions by cloud admin accounts.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: October 6, 2025

Tables

BehaviorAnalytics

Keywords

BehaviorAnalyticsActivityInsightsEventMessageTimeGeneratedFirstTimeUserPerformedAction

Operators

|>ago()extendparse_json()has_any==

MITRE Techniques

Actions

GitHub