IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [7.10] Detections and Alerts Prebuilt rule reference
« Azure Blob Container Access Level Modification Azure Conditional Access Policy Modified »

Azure Command Execution on Virtual Machineedit

Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.

Rule type: query

Rule indices:

  • filebeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Log Auditing

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positivesedit

Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

Investigation guideedit

The Azure Filebeat module must be enabled to use this rule.

Rule queryedit

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and
event.outcome:Success

Threat mappingedit

Framework: MITRE ATT&CKTM

« Azure Blob Container Access Level Modification Azure Conditional Access Policy Modified »