KQL Search

Query Details

HomeAI ToolsDevice Query

VM Creation Using Azure Activity

Query

//Could be useful as part of rogue VM creation hunting, could add queries to check the tags and ensure is compliant with Org Tagging
let operationList = dynamic(["microsoft.compute/virtualmachines/write", "microsoft.resources/deployments/write"]);
//
AzureActivity
| where TimeGenerated > ago(90d)
| where OperationNameValue in~ (operationList)
| where ActivitySubstatusValue == "Created"
| extend ProvisioningState = parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).provisioningState,
VM_ID = parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).vmId,
ImageReference_Offer = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(Properties_d.responseBody)).properties)).storageProfile)).imageReference)).offer,
ImageReference_Exact_version = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(Properties_d.responseBody)).properties)).storageProfile)).imageReference)).exactVersion,
ImageReference_SKU = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(Properties_d.responseBody)).properties)).storageProfile)).imageReference)).sku
//Only search for Windows Server
| where ImageReference_Offer == "WindowsServer"

Explanation

This KQL (Kusto Query Language) query is designed to help identify potentially unauthorized or "rogue" virtual machine (VM) creations within an Azure environment. Here's a simplified breakdown of what the query does:

  1. Define Operations of Interest: The query starts by specifying a list of operations that are relevant to VM creation. These operations include writing actions related to virtual machines and resource deployments.

  2. Filter Azure Activity Logs: It looks at the Azure Activity logs over the past 90 days to find entries where the operation performed matches those specified in the list (i.e., VM creation or deployment actions).

  3. Check for Successful Creations: The query further filters these logs to only include activities where the substatus indicates that the VM was successfully created.

  4. Extract VM Details: For each of these activities, it extracts detailed information about the VM, such as:

    • Provisioning State: The state of the VM provisioning process.
    • VM ID: The unique identifier of the VM.
    • Image Reference Details: Information about the VM's image, including the offer, exact version, and SKU.

  5. Focus on Windows Server VMs: Finally, it narrows down the results to only include VMs that are based on the "WindowsServer" image offer.

This query can be useful for security and compliance purposes, particularly in ensuring that VM creations adhere to organizational policies, such as proper tagging.

Details

Jay Kerai profile picture

Jay Kerai

Released: June 5, 2026

Tables

AzureActivity

Keywords

AzureActivity

Operators

letdynamicAzureActivitywhere>agoin~==extendparse_jsontostring

Actions