T1578 Modify Cloud Compute Infrastructure Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

AzureActivity
| where TimeGenerated >= ago(1d)
| where ResourceProviderValue =~ "Microsoft.Compute"
| where OperationNameValue has_any (
    "Microsoft.Compute/virtualMachines/write",
    "Microsoft.Compute/virtualMachines/delete",
    "Microsoft.Compute/snapshots/write",
    "Microsoft.Compute/snapshots/delete",
    "Microsoft.Compute/disks/write",
    "Microsoft.Compute/disks/delete",
    "Microsoft.Compute/virtualMachines/deallocate/action",
    "Microsoft.Compute/virtualMachines/generalize/action",
    "Microsoft.Compute/virtualMachines/capture/action",
    "Microsoft.Compute/virtualMachines/extensions/write",
    "Microsoft.Compute/virtualMachineScaleSets/write",
    "Microsoft.Compute/virtualMachineScaleSets/delete",
    "Microsoft.Compute/restorePointCollections/write"
)
| where ActivityStatusValue in~ ("Succeeded", "Started")
| extend CallerIp = tostring(CallerIpAddress)
| extend PrincipalName = tostring(Caller)
| extend OperationType = case(
    OperationNameValue has "delete", "DELETE",
    OperationNameValue has "/write", "CREATE_OR_MODIFY",
    OperationNameValue has "capture", "CAPTURE",
    OperationNameValue has "generalize", "GENERALIZE",
    OperationNameValue has "deallocate", "DEALLOCATE",
    OperationNameValue has "extension", "EXTENSION_CHANGE",
    "OTHER"
)
| extend RiskScore = case(
    OperationType == "DELETE", 3,
    OperationType == "CAPTURE", 3,
    OperationType == "GENERALIZE", 3,
    OperationType == "EXTENSION_CHANGE", 2,
    OperationType == "CREATE_OR_MODIFY", 1,
    0
)
| summarize
    OperationCount = count(),
    UniqueResources = dcount(ResourceId),
    OperationTypes = make_set(OperationType),
    TotalRiskScore = sum(RiskScore),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    Resources = make_set(ResourceId, 10)
    by PrincipalName, CallerIp, ResourceGroup, SubscriptionId
| where TotalRiskScore >= 3 or (OperationCount >= 5 and UniqueResources >= 3)
| extend AlertReason = case(
    TotalRiskScore >= 6, "High-risk compute operations: multiple delete/capture/generalize actions",
    TotalRiskScore >= 3 and OperationCount >= 5, "Elevated compute modification activity with destructive operations",
    OperationCount >= 5 and UniqueResources >= 3, "Bulk modifications across multiple compute resources",
    "Suspicious compute infrastructure modification"
)
| project
    FirstSeen,
    LastSeen,
    PrincipalName,
    CallerIp,
    ResourceGroup,
    SubscriptionId,
    OperationCount,
    UniqueResources,
    OperationTypes,
    TotalRiskScore,
    AlertReason,
    Resources
| sort by TotalRiskScore desc, OperationCount desc

high severity medium confidence

Data Sources

Azure Monitor Azure Activity Logs Microsoft Sentinel

Required Tables

AzureActivity

False Positives

Legitimate DevOps CI/CD pipelines creating and deleting ephemeral build VMs during automated deployment workflows
Authorized disaster recovery tests involving snapshot creation, VM replication, and failover exercises
Infrastructure-as-Code tooling (Terraform, Bicep, ARM templates) running bulk creates/deletes during planned maintenance windows
Cloud cost optimization scripts automatically deallocating idle VMs on a schedule
Security scanning tools or backup agents installing VM extensions across a fleet

Splunk

spl

index=* sourcetype="aws:cloudtrail"
| search eventSource="ec2.amazonaws.com" OR eventSource="compute.amazonaws.com"
| search eventName IN (
    "RunInstances", "TerminateInstances", "StopInstances",
    "CreateSnapshot", "DeleteSnapshot", "CopySnapshot",
    "CreateImage", "DeregisterImage", "DeleteImage",
    "ModifyInstanceAttribute", "ModifySnapshotAttribute",
    "CreateVolume", "DeleteVolume", "ModifyVolume",
    "AssociateIamInstanceProfile", "ReplaceIamInstanceProfileAssociation",
    "CreateInstanceExportTask", "ImportInstance"
)
| spath input=userIdentity output=principalId path=arn
| spath input=userIdentity output=principalType path=type
| spath input=userIdentity output=accountId path=accountId
| eval sourceIP = coalesce(sourceIPAddress, "unknown")
| eval region = awsRegion
| eval riskScore = case(
    eventName IN ("TerminateInstances", "DeleteSnapshot", "DeregisterImage", "DeleteImage", "DeleteVolume"), 3,
    eventName IN ("CreateImage", "CreateSnapshot", "CopySnapshot", "CreateInstanceExportTask", "ImportInstance"), 3,
    eventName IN ("AssociateIamInstanceProfile", "ReplaceIamInstanceProfileAssociation", "ModifyInstanceAttribute"), 2,
    1
)
| eval isSuspicious = case(
    match(sourceIP, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"), 0,
    errorCode="AccessDenied", 1,
    1=1, 0
)
| stats
    sum(riskScore) as totalRisk,
    count as opCount,
    dc(requestParameters.instanceId) as uniqueInstances,
    values(eventName) as operations,
    values(region) as regions,
    values(requestParameters.snapshotId) as snapshots,
    min(_time) as firstSeen,
    max(_time) as lastSeen
    by principalId, sourceIP, accountId
| where totalRisk >= 4 OR (opCount >= 6 AND uniqueInstances >= 3)
| eval alertSeverity = case(
    totalRisk >= 9, "CRITICAL",
    totalRisk >= 6, "HIGH",
    totalRisk >= 3, "MEDIUM",
    "LOW"
)
| eval alertReason = case(
    totalRisk >= 9, "Critical: mass compute infrastructure modification including destructive actions",
    totalRisk >= 6 AND match(mvjoin(operations, " "), "(Terminate|Delete|Deregister)"), "High-risk: destructive compute ops with export/imaging activity",
    opCount >= 6, "Bulk compute operations across multiple instances by single principal",
    "Elevated cloud compute infrastructure modification activity"
)
| table firstSeen, lastSeen, principalId, sourceIP, accountId, regions, opCount, totalRisk, alertSeverity, alertReason, operations, snapshots
| sort - totalRisk

high severity medium confidence

Data Sources

AWS CloudTrail Splunk AWS Add-on

Required Sourcetypes

aws:cloudtrail

False Positives

Automated scaling events from AWS Auto Scaling Groups triggering RunInstances/TerminateInstances at high volume during traffic spikes
Backup and disaster recovery solutions (AWS Backup, Veeam) creating scheduled snapshots and AMIs across production fleets
Infrastructure automation pipelines (Terraform, Ansible, AWS CDK) performing bulk creates and terminates during blue/green deployments
AWS Spot Instance interruptions triggering mass TerminateInstances events from AWS service principals
Security compliance tooling scanning and modifying instance attributes to enforce organizational policy baselines

Elastic Security (EQL)

eql

any where event.dataset == "azure.activitylogs"
  and event.action : ("Microsoft.Compute/snapshots/write", "Microsoft.Compute/virtualMachines/write",
                      "Microsoft.Compute/virtualMachines/delete", "Microsoft.Compute/disks/write")
  and not user.name : ("azure-backup-service", "azure-site-recovery")

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

logs-azure.activitylogs.* logs-aws.cloudtrail.*

False Positives

Authorized cloud administrators performing routine snapshot operations
Automated backup solutions creating scheduled snapshots via service accounts
Disaster recovery testing that involves creating and sharing snapshots across accounts
DevOps pipelines that create instance images as part of CI/CD workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  username, "Operation" AS CloudOperation,
  "ResourceType" AS CloudResource,
  "ResourceGroup", "SubscriptionId",
  CASE
    WHEN "Operation" ILIKE '%delete%' OR "Operation" ILIKE '%destroy%' THEN 90
    WHEN "Operation" ILIKE '%snapshot%' AND "ResultType" = 'Success' THEN 70
    WHEN "Operation" ILIKE '%create%instance%' THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Operation" ILIKE '%delete%' THEN 'Cloud Resource Deletion'
    WHEN "Operation" ILIKE '%snapshot%' THEN 'Snapshot Operation'
    WHEN "Operation" ILIKE '%create%' THEN 'Cloud Resource Creation'
    ELSE 'Cloud Modification'
  END AS AlertType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%azure%' OR LOGSOURCETYPENAME(devicetype) ILIKE '%cloudtrail%'
  AND ("Operation" ILIKE '%compute%' OR "Operation" ILIKE '%instance%' OR "Operation" ILIKE '%snapshot%' OR "Operation" ILIKE '%virtualMachine%')
  AND username NOT ILIKE '%azure%automation%'
  AND username NOT ILIKE '%backup%service%'
ORDER BY RiskScore DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

events

False Positives

Authorized cloud administrators performing snapshot and backup operations
Automated DR solutions creating scheduled cloud instance snapshots
DevOps pipelines creating and deleting instances as part of CI/CD
Authorized infrastructure scaling or migration events

Sumo Logic CSE

sql

_sourceCategory=*azure*activitylog* OR _sourceCategory=*aws*cloudtrail*
| json auto
| where matches(operationName, "(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)")
| eval RiskLevel = if(matches(operationName, "(?i)(delete|destroy|terminate)"), "High",
    if(matches(operationName, "(?i)(snapshot|create)"), "Medium", "Low"))
| where RiskLevel in ("High","Medium")
| eval AlertType = if(matches(operationName, "(?i)delete"), "Cloud Resource Deletion",
    if(matches(operationName, "(?i)snapshot"), "Snapshot Operation",
    if(matches(operationName, "(?i)create"), "Resource Creation", "Cloud Modification")))
| where caller != "azure-backup" and !matches(caller, "(?i)automation")
| stats count AS OpCount, values(operationName) AS Operations, values(RiskLevel) AS RiskLevels by _sourceHost, caller, resourceGroup
| sort by OpCount desc

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

_sourceCategory=*azure* _sourceCategory=*aws*cloudtrail*

False Positives

Cloud administrators creating authorized snapshots for backup or migration
Automated disaster recovery systems creating scheduled cloud snapshots
DevOps pipelines creating and deleting compute instances as part of CI/CD
Authorized cloud infrastructure migrations between regions or accounts

Google Chronicle / SecOps

yaral

rule T1578_cloud_infra_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects suspicious cloud infrastructure modifications"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1578"
    reference = "https://attack.mitre.org/techniques/T1578/"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    re.regex($e.metadata.product_event_type, `(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)`)
    not re.regex($e.principal.user.email_addresses, `(?i)(backup|automation|serviceaccount)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Cloud audit logs (Azure/AWS)

Required Tables

USER_RESOURCE_ACCESS

False Positives

Authorized cloud administrators performing scheduled backup snapshot creation
Automated disaster recovery solutions creating routine cloud instance snapshots
DevOps CI/CD pipelines creating and deleting compute instances during deployments
Authorized cloud migration projects moving instances between regions

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "CloudResourceModification"
| OperationName = /(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify|revert)/
| ActorUserName != /(?i)(backup|automation|serviceaccount|scheduler)/
| groupBy([aid, ActorUserName, OperationName, ResourceType, ResourceName], function=[count(as=OpCount), min(timestamp, as=FirstSeen)])
| case {
    OperationName = /(?i)(delete|destroy|terminate)/ => RiskScore := "High";
    OperationName = /(?i)(snapshot|create)/ => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ActorUserName, OperationName, ResourceType, ResourceName, OpCount, RiskScore, FirstSeen])
| sort(RiskScore)

high severity medium confidence

Data Sources

CrowdStrike Falcon Horizon (Cloud Security) Cloud audit logs

Required Tables

CloudResourceModification

False Positives

Authorized cloud administrators performing routine snapshot and backup operations
Automated DR and backup solutions creating scheduled cloud instance snapshots
DevOps CI/CD pipelines that create and destroy cloud instances during deployments
Authorized cloud migration projects moving or replicating compute instances

Modify Cloud Compute Infrastructure

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (5)

Same Tactic: Defense Evasion

Popular Detections