Azure New CloudShell Created

Identifies when a new cloudshell is created inside of Azure portal.

Sigma rule (View on GitHub)

 1title: Azure New CloudShell Created
 2id: 72af37e2-ec32-47dc-992b-bc288a2708cb
 3status: test
 4description: Identifies when a new cloudshell is created inside of Azure portal.
 5references:
 6    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 7author: Austin Songer
 8date: 2021-09-21
 9modified: 2022-08-23
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    product: azure
15    service: activitylogs
16detection:
17    selection:
18        operationName: MICROSOFT.PORTAL/CONSOLES/WRITE
19    condition: selection
20falsepositives:
21    - A new cloudshell may be created by a system administrator.
22level: medium

References

Related rules

to-top