Azure New CloudShell Created
Identifies when a new cloudshell is created inside of Azure portal.
Sigma rule (View on GitHub)
1title: Azure New CloudShell Created
2id: 72af37e2-ec32-47dc-992b-bc288a2708cb
3status: test
4description: Identifies when a new cloudshell is created inside of Azure portal.
5references:
6 - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
7author: Austin Songer
8date: 2021/09/21
9modified: 2022/08/23
10tags:
11 - attack.execution
12 - attack.t1059
13logsource:
14 product: azure
15 service: activitylogs
16detection:
17 selection:
18 operationName: MICROSOFT.PORTAL/CONSOLES/WRITE
19 condition: selection
20falsepositives:
21 - A new cloudshell may be created by a system administrator.
22level: medium
References
Related rules
- Atlassian Confluence CVE-2022-26134
- BPFDoor Abnormal Process ID or Lock File Accessed
- Parent in Public Folder Suspicious Process
- Payload Decoded and Decrypted via Built-in Utilities
- Python Spawning Pretty TTY on Windows