Detect first time Azure Custom Script or Run Command deployment
Detect First Time Azure Custom Script Or Run Command
Query
BehaviorAnalytics
| where TimeGenerated > ago(1h)
| extend ActivityInsights = parse_json(ActivityInsights)
| where ActivityInsights.EventMessage has_any ('runCommand/action', 'extensions/write')
| where ActivityInsights.FirstTimeUserPerformedAction == "True"About this query
Explanation
This query is designed to detect when an account is deploying Custom Scripts or Run Commands on Azure or Azure Arc machines for the first time. It uses User and Entity Behavior Analytics (UEBA) from Defender XDR and Microsoft Sentinel to identify such activities. The query checks for events that occurred in the last hour and looks for specific actions related to running commands or writing extensions. If an account is performing these actions for the first time, it may indicate potential misuse or compromise of the account, especially if these actions are not commonly used in the environment. This helps mitigate the risk of unauthorized access or actions by cloud admin accounts.
