T1578.005 Splunk · SPL

Detect Modify Cloud Compute Configurations in Splunk

Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses or abuse victim resources. Targeted configurations include service quotas, subscription-level policies that restrict VM sizes or regions, tenant-wide Azure Policy assignments, and cloud provider quota request workflows. By increasing allowed compute quotas or removing policy guardrails, adversaries can launch large GPU/CPU instances for cryptomining or deploy resources in unsupported regions that lack monitoring coverage — all without triggering standard resource-creation alerts that assume baseline quota limits. Real-world incidents include compromised Azure tenants where attackers submitted quota increase requests for high-core-count VM SKUs (Standard_NC series for GPU mining) and removed Azure Policy assignments that enforced allowed VM sizes, enabling deployment of previously blocked instance types.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1578 Modify Cloud Compute Infrastructure
Sub-technique
T1578.005 Modify Cloud Compute Configurations
Canonical reference
https://attack.mitre.org/techniques/T1578/005/

SPL Detection Query

Splunk (SPL)
spl 
index=azure sourcetype="azure:activity"
  (operationName="Microsoft.Quota/quotas/write"
   OR operationName="Microsoft.Quota/quotaRequests/write"
   OR operationName="Microsoft.Authorization/policyAssignments/write"
   OR operationName="Microsoft.Authorization/policyAssignments/delete"
   OR operationName="Microsoft.Authorization/policyExemptions/write"
   OR operationName="Microsoft.Authorization/policySetDefinitions/write"
   OR operationName="Microsoft.Authorization/policySetDefinitions/delete"
   OR operationName="Microsoft.Compute/locations/usages/write"
   OR operationName="Microsoft.Features/features/register"
   OR operationName="Microsoft.Features/providers/features/register"
   OR operationName="Microsoft.Subscription/subscriptions/locations/write")
  status="Succeeded"
| eval CallerUPN=coalesce('claims.upn', "")
| eval CallerAppId=coalesce('claims.appid', "")
| eval IsServicePrincipal=if(len(CallerUPN)==0, 1, 0)
| eval EffectiveCaller=if(IsServicePrincipal==1, "SP:".CallerAppId, CallerUPN)
| eval PolicyOperation=if(match(operationName, "(?i)policyAssignment|policyExemption|policySetDefinition"), 1, 0)
| eval QuotaOperation=if(match(operationName, "(?i)quota|capacity"), 1, 0)
| eval RegionOperation=if(match(operationName, "(?i)locations/write|features/register"), 1, 0)
| eval RiskScore=PolicyOperation + QuotaOperation + RegionOperation
| table _time, EffectiveCaller, CallerUPN, CallerAppId, IsServicePrincipal, callerIpAddress,
        operationName, resourceGroup, subscriptionId,
        PolicyOperation, QuotaOperation, RegionOperation, RiskScore
| sort - _time
high severity medium confidence

Detects Azure cloud compute configuration modifications using the Azure Activity log sourcetype from the Splunk Add-on for Microsoft Cloud Services. Covers quota increase requests, policy assignment and exemption changes, policy set definition modifications, region/feature registrations, and VM usage limit writes. Evaluates each event against three risk categories (policy, quota, region) and assigns a cumulative risk score. Service principal callers are flagged explicitly as they represent automation that may indicate a compromised application identity.

Data Sources

Cloud Service: Cloud Service ModificationAzure Activity LogAzure Resource Manager

Required Sourcetypes

azure:activity

False Positives & Tuning

  • Cloud infrastructure teams legitimately requesting quota increases for planned expansion or new workloads
  • Azure Policy assignments being modified during sanctioned governance reviews or policy updates by the security team
  • DevOps automation pipelines (Terraform, Bicep, Azure DevOps) that manage infrastructure-as-code including policy and quota configurations
  • Cloud governance tooling (Azure Blueprints, Defender for Cloud regulatory compliance) that modifies policy assignments as part of compliance remediation
  • Service principals used by approved CSPM or cloud management platforms that regularly enumerate or adjust resource configurations
Download portable Sigma rule (.yml)

Other platforms for T1578.005

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Azure Quota Increase Request via Azure CLI

    Expected signal: AzureActivity log entry with OperationNameValue='MICROSOFT.QUOTA/QUOTAREQUESTS/WRITE', ActivityStatusValue='Succeeded', CallerIpAddress matching the machine running the command, Claims.upn matching the authenticated Azure CLI user.

  2. Test 2Delete Azure Policy Assignment via Azure CLI

    Expected signal: Two AzureActivity entries: first with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE' (creation), second with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/DELETE' (deletion). Both with ActivityStatusValue='Succeeded'. The DELETE operation is the high-severity event that triggers alerting.

  3. Test 3Enable Unused Azure Region via Feature Registration

    Expected signal: AzureActivity entry with OperationNameValue='MICROSOFT.FEATURES/PROVIDERS/FEATURES/REGISTER' or 'MICROSOFT.RESOURCES/PROVIDERS/REGISTER', ActivityStatusValue='Succeeded'. CallerIpAddress and Claims.upn identify the caller.

  4. Test 4Create Azure Policy Exemption to Bypass Security Control

    Expected signal: AzureActivity entry with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS/WRITE', ActivityStatusValue='Succeeded'. The exemption category (Waiver vs Mitigated), scope, and referenced policy assignment are captured in the Properties field.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1578.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1578Modify Cloud Compute Infrastructure

Related Sub-techniques

T1578.001Create SnapshotT1578.002Create Cloud InstanceT1578.003Delete Cloud InstanceT1578.004Revert Cloud Instance

Related Techniques

T1578Modify Cloud Compute InfrastructureT1578.001Create SnapshotT1578.002Create Cloud InstanceT1578.004Revert Cloud InstanceT1535Unused/Unsupported Cloud RegionsT1496Resource HijackingT1496.004Cloud Service HijackingT1098.003Additional Cloud RolesT1190Exploit Public-Facing ApplicationT1552.008Chat Messages

Same Tactic: Defense Evasion

Popular Detections