T1578.005 Microsoft Sentinel · KQL

Detect Modify Cloud Compute Configurations in Microsoft Sentinel

Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses or abuse victim resources. Targeted configurations include service quotas, subscription-level policies that restrict VM sizes or regions, tenant-wide Azure Policy assignments, and cloud provider quota request workflows. By increasing allowed compute quotas or removing policy guardrails, adversaries can launch large GPU/CPU instances for cryptomining or deploy resources in unsupported regions that lack monitoring coverage — all without triggering standard resource-creation alerts that assume baseline quota limits. Real-world incidents include compromised Azure tenants where attackers submitted quota increase requests for high-core-count VM SKUs (Standard_NC series for GPU mining) and removed Azure Policy assignments that enforced allowed VM sizes, enabling deployment of previously blocked instance types.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1578 Modify Cloud Compute Infrastructure
Sub-technique
T1578.005 Modify Cloud Compute Configurations
Canonical reference
https://attack.mitre.org/techniques/T1578/005/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousComputeOps = dynamic([
  "MICROSOFT.QUOTA/QUOTAS/WRITE",
  "MICROSOFT.QUOTA/QUOTAREQUESTS/WRITE",
  "MICROSOFT.CAPACITY/CATALOGS/OFFERS/WRITE",
  "MICROSOFT.COMPUTE/LOCATIONS/USAGES/WRITE",
  "MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE",
  "MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/DELETE",
  "MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS/WRITE",
  "MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS/WRITE",
  "MICROSOFT.AUTHORIZATION/POLICYSETDEFINITIONS/WRITE",
  "MICROSOFT.AUTHORIZATION/POLICYSETDEFINITIONS/DELETE",
  "MICROSOFT.SUBSCRIPTION/SUBSCRIPTIONS/LOCATIONS/WRITE",
  "MICROSOFT.FEATURES/FEATURES/REGISTER",
  "MICROSOFT.FEATURES/PROVIDERS/FEATURES/REGISTER"
]);
AzureActivity
| where TimeGenerated > ago(24h)
| where tostring(OperationNameValue) has_any (SuspiciousComputeOps)
| where ActivityStatusValue =~ "Success" or ActivityStatusValue =~ "Succeeded"
| extend CallerUPN = tostring(Claims.upn)
| extend CallerAppId = tostring(Claims.appid)
| extend CallerObjectId = tostring(Claims.oid)
| extend IsServicePrincipal = isempty(CallerUPN)
| extend EffectiveCaller = iif(IsServicePrincipal, strcat("SP:", CallerAppId), CallerUPN)
| extend PolicyOperation = OperationNameValue has "POLICYASSIGNMENT" or OperationNameValue has "POLICYEXEMPTION" or OperationNameValue has "POLICYSETDEFINITION"
| extend QuotaOperation = OperationNameValue has "QUOTA" or OperationNameValue has "CAPACITY"
| extend RegionOperation = OperationNameValue has "LOCATIONS" or OperationNameValue has "FEATURES"
| project TimeGenerated, CallerIpAddress, EffectiveCaller, CallerUPN, CallerAppId, IsServicePrincipal,
         OperationNameValue, ResourceGroup, _ResourceId, SubscriptionId,
         PolicyOperation, QuotaOperation, RegionOperation,
         Properties, HTTPRequest
| sort by TimeGenerated desc
high severity medium confidence

Detects modifications to Azure cloud compute configurations including quota increase requests, Azure Policy assignment modifications or deletions (which could remove VM size or region restrictions), policy exemptions, and feature/region registrations. Uses the AzureActivity table which captures Azure Resource Manager control-plane operations. Flags both user and service principal callers. PolicyOperation, QuotaOperation, and RegionOperation boolean fields help analysts triage the specific category of configuration change.

Data Sources

Cloud Service: Cloud Service ModificationAzure Activity LogAzure Resource ManagerAzure Policy

Required Tables

AzureActivity

False Positives & Tuning

  • Cloud infrastructure teams legitimately requesting quota increases for planned expansion or new workloads
  • Azure Policy assignments being modified during sanctioned governance reviews or policy updates by the security team
  • DevOps automation pipelines (Terraform, Bicep, Azure DevOps) that manage infrastructure-as-code including policy and quota configurations
  • Cloud governance tooling (Azure Blueprints, Defender for Cloud regulatory compliance) that modifies policy assignments as part of compliance remediation
  • Service principals used by approved CSPM or cloud management platforms that regularly enumerate or adjust resource configurations
Download portable Sigma rule (.yml)

Other platforms for T1578.005

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Azure Quota Increase Request via Azure CLI

    Expected signal: AzureActivity log entry with OperationNameValue='MICROSOFT.QUOTA/QUOTAREQUESTS/WRITE', ActivityStatusValue='Succeeded', CallerIpAddress matching the machine running the command, Claims.upn matching the authenticated Azure CLI user.

  2. Test 2Delete Azure Policy Assignment via Azure CLI

    Expected signal: Two AzureActivity entries: first with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE' (creation), second with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/DELETE' (deletion). Both with ActivityStatusValue='Succeeded'. The DELETE operation is the high-severity event that triggers alerting.

  3. Test 3Enable Unused Azure Region via Feature Registration

    Expected signal: AzureActivity entry with OperationNameValue='MICROSOFT.FEATURES/PROVIDERS/FEATURES/REGISTER' or 'MICROSOFT.RESOURCES/PROVIDERS/REGISTER', ActivityStatusValue='Succeeded'. CallerIpAddress and Claims.upn identify the caller.

  4. Test 4Create Azure Policy Exemption to Bypass Security Control

    Expected signal: AzureActivity entry with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS/WRITE', ActivityStatusValue='Succeeded'. The exemption category (Waiver vs Mitigated), scope, and referenced policy assignment are captured in the Properties field.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1578.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1578Modify Cloud Compute Infrastructure

Related Sub-techniques

T1578.001Create SnapshotT1578.002Create Cloud InstanceT1578.003Delete Cloud InstanceT1578.004Revert Cloud Instance

Related Techniques

T1578Modify Cloud Compute InfrastructureT1578.001Create SnapshotT1578.002Create Cloud InstanceT1578.004Revert Cloud InstanceT1535Unused/Unsupported Cloud RegionsT1496Resource HijackingT1496.004Cloud Service HijackingT1098.003Additional Cloud RolesT1190Exploit Public-Facing ApplicationT1552.008Chat Messages

Same Tactic: Defense Evasion

Popular Detections