T1578.004 Revert Cloud Instance Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect cloud instance snapshot revert operations (T1578.004)
// Covers Azure disk/VM restore operations and AWS snapshot-based recovery
let TimeWindow = 24h;
// Azure: Detect VM disk restore from snapshot, restore point operations, and VM recapture
let AzureRevertOps = AzureActivity
| where TimeGenerated > ago(TimeWindow)
| where OperationNameValue has_any (
    "Microsoft.Compute/disks/write",
    "Microsoft.Compute/restorePoints/write",
    "Microsoft.Compute/restorePointCollections/write",
    "Microsoft.Compute/virtualMachines/capture/action",
    "Microsoft.Compute/virtualMachines/write",
    "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recovery/action"
  )
| where ActivityStatusValue =~ "Success"
| where Properties_d has_any ("snapshot", "restorePoint", "diskRestorePoint", "creationData", "Copy", "Restore")
| extend CloudProvider = "Azure"
| extend ActorIdentity = Caller
| extend SourceIP = CallerIpAddress
| extend Operation = OperationNameValue
| extend TargetResource = _ResourceId
| project TimeGenerated, CloudProvider, ActorIdentity, SourceIP, Operation, TargetResource, ResourceGroup, SubscriptionId;
// AWS: Detect EC2/EBS snapshot restore and instance revert operations via CloudTrail
let AWSRevertOps = AWSCloudTrail
| where TimeGenerated > ago(TimeWindow)
| where EventName in (
    "ImportSnapshot",
    "RestoreSnapshotTier",
    "CreateRestoreImageTask",
    "CopySnapshot",
    "RegisterImage",
    "RunInstances",
    "AttachVolume",
    "DetachVolume",
    "ModifyVolume",
    "StopInstances",
    "StartInstances"
  )
| where isempty(ErrorCode)
| extend CloudProvider = "AWS"
| extend ActorIdentity = UserIdentityArn
| extend SourceIP = SourceIpAddress
| extend Operation = EventName
| extend TargetResource = tostring(RequestParameters)
| project TimeGenerated, CloudProvider, ActorIdentity, SourceIP, Operation, TargetResource, AWSRegion, RecipientAccountId;
// Union results and annotate operation type
AzureRevertOps
| union AWSRevertOps
| extend IsEphemeralReset = (Operation in ("StopInstances", "StartInstances"))
| extend IsSnapshotRestore = (Operation has_any ("snapshot", "Snapshot", "restorePoint", "RestoreImage", "RegisterImage", "ImportSnapshot", "CopySnapshot", "RestoreSnapshotTier", "CreateRestoreImageTask", "recovery"))
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Modification Instance: Instance Stop Instance: Instance Start Snapshot: Snapshot Modification Azure Activity Logs AWS CloudTrail

Required Tables

AzureActivity AWSCloudTrail

False Positives

Legitimate disaster recovery operations by cloud operations teams restoring instances from approved snapshots per a runbook or change ticket
Automated backup and restore testing performed by cloud platform engineering or DevOps teams as part of DR drills
Development and staging environment resets where instances are routinely reverted to known-good snapshots via CI/CD pipelines
Patch rollback procedures reverting instances after a failed software update or breaking configuration change
Chaos engineering or resilience testing platforms (e.g., AWS Fault Injection Simulator, Azure Chaos Studio) that deliberately stop and restart instances

Splunk

spl

(index=aws sourcetype="aws:cloudtrail"
  (eventName="ImportSnapshot" OR eventName="RestoreSnapshotTier" OR eventName="CreateRestoreImageTask"
   OR eventName="CopySnapshot" OR eventName="RegisterImage"
   OR eventName="AttachVolume" OR eventName="ModifyVolume"
   OR eventName="StopInstances" OR eventName="StartInstances"
   OR eventName="RunInstances")
  errorCode=""
| eval CloudProvider="AWS"
| eval ActorIdentity='userIdentity.arn'
| eval Operation=eventName
| eval TargetResource=coalesce('requestParameters.volumeId','requestParameters.instanceId','requestParameters.imageId',"unknown")
| eval SourceIP=sourceIPAddress
| eval IsSnapshotRestore=if(match(eventName,"(?i)(snapshot|RestoreImage|RegisterImage|ImportSnapshot|CopySnapshot|RestoreSnapshotTier|CreateRestoreImageTask)"),1,0)
| eval IsEphemeralReset=if(eventName="StopInstances" OR eventName="StartInstances",1,0)
| eval SuspicionScore=IsSnapshotRestore+IsEphemeralReset)
OR
(index=azure sourcetype="mscs:azure:eventhub"
  (operationName="MICROSOFT.COMPUTE/DISKS/WRITE"
   OR operationName="MICROSOFT.COMPUTE/RESTOREPOINTS/WRITE"
   OR operationName="MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/WRITE"
   OR operationName="MICROSOFT.RECOVERYSERVICES/VAULTS/BACKUPFABRICS/PROTECTIONCONTAINERS/PROTECTEDITEMS/RECOVERY/ACTION"
   OR operationName="MICROSOFT.COMPUTE/VIRTUALMACHINES/CAPTURE/ACTION")
  status.value="Succeeded"
| eval CloudProvider="Azure"
| eval ActorIdentity=caller
| eval Operation=operationName
| eval TargetResource=resourceId
| eval SourceIP=callerIpAddress
| eval IsSnapshotRestore=if(match(_raw,"(?i)(snapshot|restorePoint|diskRestorePoint|creationData|\"Copy\")"),1,0)
| eval IsEphemeralReset=0
| eval SuspicionScore=IsSnapshotRestore)
| where SuspicionScore > 0
| table _time, CloudProvider, ActorIdentity, SourceIP, Operation, TargetResource, IsSnapshotRestore, IsEphemeralReset, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Modification Instance: Instance Stop Instance: Instance Start Snapshot: Snapshot Modification AWS CloudTrail Azure Activity Logs

Required Sourcetypes

aws:cloudtrail mscs:azure:eventhub

False Positives

Legitimate disaster recovery operations by cloud operations teams restoring instances from approved snapshots per a runbook or change ticket
Automated backup and restore testing performed by cloud platform engineering or DevOps teams as part of DR drills
Development and staging environment resets where instances are routinely reverted to known-good snapshots via CI/CD pipelines
Patch rollback procedures reverting instances after a failed software update or breaking configuration change
Chaos engineering or resilience testing platforms (e.g., AWS Fault Injection Simulator, Azure Chaos Studio) that deliberately stop and restart instances

Elastic Security (EQL)

eql

any where event.dataset == "azure.activitylogs"
  and event.action : ("Microsoft.Compute/snapshots/write", "Microsoft.Compute/virtualMachines/write",
                      "Microsoft.Compute/virtualMachines/delete", "Microsoft.Compute/disks/write")
  and not user.name : ("azure-backup-service", "azure-site-recovery")

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

logs-azure.activitylogs.* logs-aws.cloudtrail.*

False Positives

Authorized cloud administrators performing routine snapshot operations
Automated backup solutions creating scheduled snapshots via service accounts
Disaster recovery testing that involves creating and sharing snapshots across accounts
DevOps pipelines that create instance images as part of CI/CD workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  username, "Operation" AS CloudOperation,
  "ResourceType" AS CloudResource,
  "ResourceGroup", "SubscriptionId",
  CASE
    WHEN "Operation" ILIKE '%delete%' OR "Operation" ILIKE '%destroy%' THEN 90
    WHEN "Operation" ILIKE '%snapshot%' AND "ResultType" = 'Success' THEN 70
    WHEN "Operation" ILIKE '%create%instance%' THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Operation" ILIKE '%delete%' THEN 'Cloud Resource Deletion'
    WHEN "Operation" ILIKE '%snapshot%' THEN 'Snapshot Operation'
    WHEN "Operation" ILIKE '%create%' THEN 'Cloud Resource Creation'
    ELSE 'Cloud Modification'
  END AS AlertType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%azure%' OR LOGSOURCETYPENAME(devicetype) ILIKE '%cloudtrail%'
  AND ("Operation" ILIKE '%compute%' OR "Operation" ILIKE '%instance%' OR "Operation" ILIKE '%snapshot%' OR "Operation" ILIKE '%virtualMachine%')
  AND username NOT ILIKE '%azure%automation%'
  AND username NOT ILIKE '%backup%service%'
ORDER BY RiskScore DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

events

False Positives

Authorized cloud administrators performing snapshot and backup operations
Automated DR solutions creating scheduled cloud instance snapshots
DevOps pipelines creating and deleting instances as part of CI/CD
Authorized infrastructure scaling or migration events

Sumo Logic CSE

sql

_sourceCategory=*azure*activitylog* OR _sourceCategory=*aws*cloudtrail*
| json auto
| where matches(operationName, "(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)")
| eval RiskLevel = if(matches(operationName, "(?i)(delete|destroy|terminate)"), "High",
    if(matches(operationName, "(?i)(snapshot|create)"), "Medium", "Low"))
| where RiskLevel in ("High","Medium")
| eval AlertType = if(matches(operationName, "(?i)delete"), "Cloud Resource Deletion",
    if(matches(operationName, "(?i)snapshot"), "Snapshot Operation",
    if(matches(operationName, "(?i)create"), "Resource Creation", "Cloud Modification")))
| where caller != "azure-backup" and !matches(caller, "(?i)automation")
| stats count AS OpCount, values(operationName) AS Operations, values(RiskLevel) AS RiskLevels by _sourceHost, caller, resourceGroup
| sort by OpCount desc

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

_sourceCategory=*azure* _sourceCategory=*aws*cloudtrail*

False Positives

Cloud administrators creating authorized snapshots for backup or migration
Automated disaster recovery systems creating scheduled cloud snapshots
DevOps pipelines creating and deleting compute instances as part of CI/CD
Authorized cloud infrastructure migrations between regions or accounts

Google Chronicle / SecOps

yaral

rule T1578_004_cloud_infra_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects suspicious cloud infrastructure modifications"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1578.004"
    reference = "https://attack.mitre.org/techniques/T1578/004/"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    re.regex($e.metadata.product_event_type, `(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)`)
    not re.regex($e.principal.user.email_addresses, `(?i)(backup|automation|serviceaccount)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Cloud audit logs (Azure/AWS)

Required Tables

USER_RESOURCE_ACCESS

False Positives

Authorized cloud administrators performing scheduled backup snapshot creation
Automated disaster recovery solutions creating routine cloud instance snapshots
DevOps CI/CD pipelines creating and deleting compute instances during deployments
Authorized cloud migration projects moving instances between regions

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "CloudResourceModification"
| OperationName = /(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify|revert)/
| ActorUserName != /(?i)(backup|automation|serviceaccount|scheduler)/
| groupBy([aid, ActorUserName, OperationName, ResourceType, ResourceName], function=[count(as=OpCount), min(timestamp, as=FirstSeen)])
| case {
    OperationName = /(?i)(delete|destroy|terminate)/ => RiskScore := "High";
    OperationName = /(?i)(snapshot|create)/ => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ActorUserName, OperationName, ResourceType, ResourceName, OpCount, RiskScore, FirstSeen])
| sort(RiskScore)

high severity medium confidence

Data Sources

CrowdStrike Falcon Horizon (Cloud Security) Cloud audit logs

Required Tables

CloudResourceModification

False Positives

Authorized cloud administrators performing routine snapshot and backup operations
Automated DR and backup solutions creating scheduled cloud instance snapshots
DevOps CI/CD pipelines that create and destroy cloud instances during deployments
Authorized cloud migration projects moving or replicating compute instances

Revert Cloud Instance

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections