Detect Modify Cloud Compute Configurations in Sumo Logic CSE
Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses or abuse victim resources. Targeted configurations include service quotas, subscription-level policies that restrict VM sizes or regions, tenant-wide Azure Policy assignments, and cloud provider quota request workflows. By increasing allowed compute quotas or removing policy guardrails, adversaries can launch large GPU/CPU instances for cryptomining or deploy resources in unsupported regions that lack monitoring coverage — all without triggering standard resource-creation alerts that assume baseline quota limits. Real-world incidents include compromised Azure tenants where attackers submitted quota increase requests for high-core-count VM SKUs (Standard_NC series for GPU mining) and removed Azure Policy assignments that enforced allowed VM sizes, enabling deployment of previously blocked instance types.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1578.005 Modify Cloud Compute Configurations
- Canonical reference
- https://attack.mitre.org/techniques/T1578/005/
Sumo Detection Query
_sourceCategory=*azure*activitylog* OR _sourceCategory=*aws*cloudtrail*
| json auto
| where matches(operationName, "(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)")
| eval RiskLevel = if(matches(operationName, "(?i)(delete|destroy|terminate)"), "High",
if(matches(operationName, "(?i)(snapshot|create)"), "Medium", "Low"))
| where RiskLevel in ("High","Medium")
| eval AlertType = if(matches(operationName, "(?i)delete"), "Cloud Resource Deletion",
if(matches(operationName, "(?i)snapshot"), "Snapshot Operation",
if(matches(operationName, "(?i)create"), "Resource Creation", "Cloud Modification")))
| where caller != "azure-backup" and !matches(caller, "(?i)automation")
| stats count AS OpCount, values(operationName) AS Operations, values(RiskLevel) AS RiskLevels by _sourceHost, caller, resourceGroup
| sort by OpCount descSumo Logic detection for Modify Cloud Compute Configurations. Detects modifications to Azure cloud compute configurations including quota increase requests, Azure Policy assignment modifications or deletions (which could remove VM size or region restrictions), p
Data Sources
Required Tables
False Positives & Tuning
- Cloud administrators creating authorized snapshots for backup or migration
- Automated disaster recovery systems creating scheduled cloud snapshots
- DevOps pipelines creating and deleting compute instances as part of CI/CD
- Authorized cloud infrastructure migrations between regions or accounts
Other platforms for T1578.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure Quota Increase Request via Azure CLI
Expected signal: AzureActivity log entry with OperationNameValue='MICROSOFT.QUOTA/QUOTAREQUESTS/WRITE', ActivityStatusValue='Succeeded', CallerIpAddress matching the machine running the command, Claims.upn matching the authenticated Azure CLI user.
- Test 2Delete Azure Policy Assignment via Azure CLI
Expected signal: Two AzureActivity entries: first with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE' (creation), second with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/DELETE' (deletion). Both with ActivityStatusValue='Succeeded'. The DELETE operation is the high-severity event that triggers alerting.
- Test 3Enable Unused Azure Region via Feature Registration
Expected signal: AzureActivity entry with OperationNameValue='MICROSOFT.FEATURES/PROVIDERS/FEATURES/REGISTER' or 'MICROSOFT.RESOURCES/PROVIDERS/REGISTER', ActivityStatusValue='Succeeded'. CallerIpAddress and Claims.upn identify the caller.
- Test 4Create Azure Policy Exemption to Bypass Security Control
Expected signal: AzureActivity entry with OperationNameValue='MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS/WRITE', ActivityStatusValue='Succeeded'. The exemption category (Waiver vs Mitigated), scope, and referenced policy assignment are captured in the Properties field.
References (9)
- https://attack.mitre.org/techniques/T1578/005/
- https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/
- https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute
- https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits
- https://learn.microsoft.com/en-us/rest/api/quota/quota/update
- https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure
- https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
- https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/About
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md
Unlock Pro Content
Get the full detection package for T1578.005 including response playbook, investigation guide, and atomic red team tests.