Which SIEM platforms have a T1578 detection rule?

df00tech provides T1578 (Modify Cloud Compute Infrastructure) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Modify Cloud Compute Infrastructure (T1578)?

Detecting Modify Cloud Compute Infrastructure requires the following data sources: Azure Monitor, Azure Activity Logs, Microsoft Sentinel.

What severity and confidence is the T1578 detection?

The T1578 detection is rated high severity with medium confidence.

What are common false positives for T1578?

Common false positives for T1578 include: Legitimate DevOps CI/CD pipelines creating and deleting ephemeral build VMs during automated deployment workflows; Authorized disaster recovery tests involving snapshot creation, VM replication, and failover exercises; Infrastructure-as-Code tooling (Terraform, Bicep, ARM templates) running bulk creates/deletes during planned maintenance windows.

T1578: Modify Cloud Compute Infrastructure — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

AzureActivity
| where TimeGenerated >= ago(1d)
| where ResourceProviderValue =~ "Microsoft.Compute"
| where OperationNameValue has_any (
    "Microsoft.Compute/virtualMachines/write",
    "Microsoft.Compute/virtualMachines/delete",
    "Microsoft.Compute/snapshots/write",
    "Microsoft.Compute/snapshots/delete",
    "Microsoft.Compute/disks/write",
    "Microsoft.Compute/disks/delete",
    "Microsoft.Compute/virtualMachines/deallocate/action",
    "Microsoft.Compute/virtualMachines/generalize/action",
    "Microsoft.Compute/virtualMachines/capture/action",
    "Microsoft.Compute/virtualMachines/extensions/write",
    "Microsoft.Compute/virtualMachineScaleSets/write",
    "Microsoft.Compute/virtualMachineScaleSets/delete",
    "Microsoft.Compute/restorePointCollections/write"
)
| where ActivityStatusValue in~ ("Succeeded", "Started")
| extend CallerIp = tostring(CallerIpAddress)
| extend PrincipalName = tostring(Caller)
| extend OperationType = case(
    OperationNameValue has "delete", "DELETE",
    OperationNameValue has "/write", "CREATE_OR_MODIFY",
    OperationNameValue has "capture", "CAPTURE",
    OperationNameValue has "generalize", "GENERALIZE",
    OperationNameValue has "deallocate", "DEALLOCATE",
    OperationNameValue has "extension", "EXTENSION_CHANGE",
    "OTHER"
)
| extend RiskScore = case(
    OperationType == "DELETE", 3,
    OperationType == "CAPTURE", 3,
    OperationType == "GENERALIZE", 3,
    OperationType == "EXTENSION_CHANGE", 2,
    OperationType == "CREATE_OR_MODIFY", 1,
    0
)
| summarize
    OperationCount = count(),
    UniqueResources = dcount(ResourceId),
    OperationTypes = make_set(OperationType),
    TotalRiskScore = sum(RiskScore),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    Resources = make_set(ResourceId, 10)
    by PrincipalName, CallerIp, ResourceGroup, SubscriptionId
| where TotalRiskScore >= 3 or (OperationCount >= 5 and UniqueResources >= 3)
| extend AlertReason = case(
    TotalRiskScore >= 6, "High-risk compute operations: multiple delete/capture/generalize actions",
    TotalRiskScore >= 3 and OperationCount >= 5, "Elevated compute modification activity with destructive operations",
    OperationCount >= 5 and UniqueResources >= 3, "Bulk modifications across multiple compute resources",
    "Suspicious compute infrastructure modification"
)
| project
    FirstSeen,
    LastSeen,
    PrincipalName,
    CallerIp,
    ResourceGroup,
    SubscriptionId,
    OperationCount,
    UniqueResources,
    OperationTypes,
    TotalRiskScore,
    AlertReason,
    Resources
| sort by TotalRiskScore desc, OperationCount desc

Monitors Azure Activity logs for anomalous compute infrastructure modifications by a single principal. Scores operations by risk (DELETE/CAPTURE/GENERALIZE=3pts, EXTENSION_CHANGE=2pts, CREATE/MODIFY=1pt) and alerts when cumulative risk score reaches 3 or bulk modifications occur across 3+ resources. Covers VM lifecycle operations, snapshot creation/deletion, disk manipulation, generalization, capture, extension changes, and scale set modifications.

high severity medium confidence

Data Sources

Azure Monitor Azure Activity Logs Microsoft Sentinel

Required Tables

AzureActivity

False Positives

Legitimate DevOps CI/CD pipelines creating and deleting ephemeral build VMs during automated deployment workflows
Authorized disaster recovery tests involving snapshot creation, VM replication, and failover exercises
Infrastructure-as-Code tooling (Terraform, Bicep, ARM templates) running bulk creates/deletes during planned maintenance windows
Cloud cost optimization scripts automatically deallocating idle VMs on a schedule
Security scanning tools or backup agents installing VM extensions across a fleet

Splunk

spl

index=* sourcetype="aws:cloudtrail"
| search eventSource="ec2.amazonaws.com" OR eventSource="compute.amazonaws.com"
| search eventName IN (
    "RunInstances", "TerminateInstances", "StopInstances",
    "CreateSnapshot", "DeleteSnapshot", "CopySnapshot",
    "CreateImage", "DeregisterImage", "DeleteImage",
    "ModifyInstanceAttribute", "ModifySnapshotAttribute",
    "CreateVolume", "DeleteVolume", "ModifyVolume",
    "AssociateIamInstanceProfile", "ReplaceIamInstanceProfileAssociation",
    "CreateInstanceExportTask", "ImportInstance"
)
| spath input=userIdentity output=principalId path=arn
| spath input=userIdentity output=principalType path=type
| spath input=userIdentity output=accountId path=accountId
| eval sourceIP = coalesce(sourceIPAddress, "unknown")
| eval region = awsRegion
| eval riskScore = case(
    eventName IN ("TerminateInstances", "DeleteSnapshot", "DeregisterImage", "DeleteImage", "DeleteVolume"), 3,
    eventName IN ("CreateImage", "CreateSnapshot", "CopySnapshot", "CreateInstanceExportTask", "ImportInstance"), 3,
    eventName IN ("AssociateIamInstanceProfile", "ReplaceIamInstanceProfileAssociation", "ModifyInstanceAttribute"), 2,
    1
)
| eval isSuspicious = case(
    match(sourceIP, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"), 0,
    errorCode="AccessDenied", 1,
    1=1, 0
)
| stats
    sum(riskScore) as totalRisk,
    count as opCount,
    dc(requestParameters.instanceId) as uniqueInstances,
    values(eventName) as operations,
    values(region) as regions,
    values(requestParameters.snapshotId) as snapshots,
    min(_time) as firstSeen,
    max(_time) as lastSeen
    by principalId, sourceIP, accountId
| where totalRisk >= 4 OR (opCount >= 6 AND uniqueInstances >= 3)
| eval alertSeverity = case(
    totalRisk >= 9, "CRITICAL",
    totalRisk >= 6, "HIGH",
    totalRisk >= 3, "MEDIUM",
    "LOW"
)
| eval alertReason = case(
    totalRisk >= 9, "Critical: mass compute infrastructure modification including destructive actions",
    totalRisk >= 6 AND match(mvjoin(operations, " "), "(Terminate|Delete|Deregister)"), "High-risk: destructive compute ops with export/imaging activity",
    opCount >= 6, "Bulk compute operations across multiple instances by single principal",
    "Elevated cloud compute infrastructure modification activity"
)
| table firstSeen, lastSeen, principalId, sourceIP, accountId, regions, opCount, totalRisk, alertSeverity, alertReason, operations, snapshots
| sort - totalRisk

Monitors AWS CloudTrail for anomalous EC2 compute infrastructure modifications by a single IAM principal. Scores events by destructiveness and exfiltration potential (terminate/delete/export/import=3pts, IAM profile changes/attribute modification=2pts, creates=1pt) and alerts when cumulative score reaches 4 or bulk operations span 3+ unique instances. Covers instance lifecycle, snapshot operations, AMI management, volume manipulation, and IAM profile association changes.

high severity medium confidence

Data Sources

AWS CloudTrail Splunk AWS Add-on

Required Sourcetypes

aws:cloudtrail

False Positives

Automated scaling events from AWS Auto Scaling Groups triggering RunInstances/TerminateInstances at high volume during traffic spikes
Backup and disaster recovery solutions (AWS Backup, Veeam) creating scheduled snapshots and AMIs across production fleets
Infrastructure automation pipelines (Terraform, Ansible, AWS CDK) performing bulk creates and terminates during blue/green deployments
AWS Spot Instance interruptions triggering mass TerminateInstances events from AWS service principals
Security compliance tooling scanning and modifying instance attributes to enforce organizational policy baselines

Elastic Security (EQL)

eql

any where event.dataset == "azure.activitylogs"
  and event.action : ("Microsoft.Compute/snapshots/write", "Microsoft.Compute/virtualMachines/write",
                      "Microsoft.Compute/virtualMachines/delete", "Microsoft.Compute/disks/write")
  and not user.name : ("azure-backup-service", "azure-site-recovery")

Elastic EQL detection for Modify Cloud Compute Infrastructure. Monitors Azure Activity logs for anomalous compute infrastructure modifications by a single principal. Scores operations by risk (DELETE/CAPTURE/GENERALIZE=3pts, EXTENSION_CHANGE=2pts, CREATE/MODIFY=1

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

logs-azure.activitylogs.* logs-aws.cloudtrail.*

False Positives

Authorized cloud administrators performing routine snapshot operations
Automated backup solutions creating scheduled snapshots via service accounts
Disaster recovery testing that involves creating and sharing snapshots across accounts
DevOps pipelines that create instance images as part of CI/CD workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  username, "Operation" AS CloudOperation,
  "ResourceType" AS CloudResource,
  "ResourceGroup", "SubscriptionId",
  CASE
    WHEN "Operation" ILIKE '%delete%' OR "Operation" ILIKE '%destroy%' THEN 90
    WHEN "Operation" ILIKE '%snapshot%' AND "ResultType" = 'Success' THEN 70
    WHEN "Operation" ILIKE '%create%instance%' THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Operation" ILIKE '%delete%' THEN 'Cloud Resource Deletion'
    WHEN "Operation" ILIKE '%snapshot%' THEN 'Snapshot Operation'
    WHEN "Operation" ILIKE '%create%' THEN 'Cloud Resource Creation'
    ELSE 'Cloud Modification'
  END AS AlertType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%azure%' OR LOGSOURCETYPENAME(devicetype) ILIKE '%cloudtrail%'
  AND ("Operation" ILIKE '%compute%' OR "Operation" ILIKE '%instance%' OR "Operation" ILIKE '%snapshot%' OR "Operation" ILIKE '%virtualMachine%')
  AND username NOT ILIKE '%azure%automation%'
  AND username NOT ILIKE '%backup%service%'
ORDER BY RiskScore DESC
LAST 1 HOURS

QRadar AQL detection for Modify Cloud Compute Infrastructure. Monitors Azure Activity logs for anomalous compute infrastructure modifications by a single principal. Scores operations by risk (DELETE/CAPTURE/GENERALIZE=3pts, EXTENSION_CHANGE=2pts, CREATE/MODIFY=1

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

events

False Positives

Authorized cloud administrators performing snapshot and backup operations
Automated DR solutions creating scheduled cloud instance snapshots
DevOps pipelines creating and deleting instances as part of CI/CD
Authorized infrastructure scaling or migration events

Sumo Logic CSE

sql

_sourceCategory=*azure*activitylog* OR _sourceCategory=*aws*cloudtrail*
| json auto
| where matches(operationName, "(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)")
| eval RiskLevel = if(matches(operationName, "(?i)(delete|destroy|terminate)"), "High",
    if(matches(operationName, "(?i)(snapshot|create)"), "Medium", "Low"))
| where RiskLevel in ("High","Medium")
| eval AlertType = if(matches(operationName, "(?i)delete"), "Cloud Resource Deletion",
    if(matches(operationName, "(?i)snapshot"), "Snapshot Operation",
    if(matches(operationName, "(?i)create"), "Resource Creation", "Cloud Modification")))
| where caller != "azure-backup" and !matches(caller, "(?i)automation")
| stats count AS OpCount, values(operationName) AS Operations, values(RiskLevel) AS RiskLevels by _sourceHost, caller, resourceGroup
| sort by OpCount desc

Sumo Logic detection for Modify Cloud Compute Infrastructure. Monitors Azure Activity logs for anomalous compute infrastructure modifications by a single principal. Scores operations by risk (DELETE/CAPTURE/GENERALIZE=3pts, EXTENSION_CHANGE=2pts, CREATE/MODIFY=1

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

_sourceCategory=*azure* _sourceCategory=*aws*cloudtrail*

False Positives

Cloud administrators creating authorized snapshots for backup or migration
Automated disaster recovery systems creating scheduled cloud snapshots
DevOps pipelines creating and deleting compute instances as part of CI/CD
Authorized cloud infrastructure migrations between regions or accounts

Google Chronicle / SecOps

yaral

rule T1578_cloud_infra_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects suspicious cloud infrastructure modifications"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1578"
    reference = "https://attack.mitre.org/techniques/T1578/"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    re.regex($e.metadata.product_event_type, `(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)`)
    not re.regex($e.principal.user.email_addresses, `(?i)(backup|automation|serviceaccount)`)

  condition:
    $e
}

Google Chronicle YARA-L 2.0 detection for Modify Cloud Compute Infrastructure. Monitors Azure Activity logs for anomalous compute infrastructure modifications by a single principal. Scores operations by risk (DELETE/CAPTURE/GENERALIZE=3pts, EXTENSION_CHANGE=2pts, CREATE/MODIFY=1

high severity medium confidence

Data Sources

Google Chronicle SIEM Cloud audit logs (Azure/AWS)

Required Tables

USER_RESOURCE_ACCESS

False Positives

Authorized cloud administrators performing scheduled backup snapshot creation
Automated disaster recovery solutions creating routine cloud instance snapshots
DevOps CI/CD pipelines creating and deleting compute instances during deployments
Authorized cloud migration projects moving instances between regions

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "CloudResourceModification"
| OperationName = /(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify|revert)/
| ActorUserName != /(?i)(backup|automation|serviceaccount|scheduler)/
| groupBy([aid, ActorUserName, OperationName, ResourceType, ResourceName], function=[count(as=OpCount), min(timestamp, as=FirstSeen)])
| case {
    OperationName = /(?i)(delete|destroy|terminate)/ => RiskScore := "High";
    OperationName = /(?i)(snapshot|create)/ => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ActorUserName, OperationName, ResourceType, ResourceName, OpCount, RiskScore, FirstSeen])
| sort(RiskScore)

CrowdStrike LogScale (Falcon) CQL detection for Modify Cloud Compute Infrastructure. Monitors Azure Activity logs for anomalous compute infrastructure modifications by a single principal. Scores operations by risk (DELETE/CAPTURE/GENERALIZE=3pts, EXTENSION_CHANGE=2pts, CREATE/MODIFY=1

high severity medium confidence

Data Sources

CrowdStrike Falcon Horizon (Cloud Security) Cloud audit logs

Required Tables

CloudResourceModification

False Positives

Authorized cloud administrators performing routine snapshot and backup operations
Automated DR and backup solutions creating scheduled cloud instance snapshots
DevOps CI/CD pipelines that create and destroy cloud instances during deployments
Authorized cloud migration projects moving or replicating compute instances

Modify Cloud Compute Infrastructure

What is T1578 Modify Cloud Compute Infrastructure?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1578

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (5)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1578 Modify Cloud Compute Infrastructure?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1578

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (5)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox