Azure Resource Manager Azure-Microsoft.Resources

4 operations, identified by operationName in the audit log.

operationName	Description
_catch_all	Catch-all for Azure-Microsoft.Resources rules matching the resource provider but no specific operation.
Microsoft.Resources/deployments/write	Creates or updates an ARM template deployment, executing infrastructure-as-code that may provision or modify any Azure resource.
Microsoft.Resources/subscriptions/resourceGroups/delete	Deletes a resource group and all resources it contains; a destructive operation used in denial-of-service or cleanup-after-exfiltration scenarios.
Microsoft.Resources/subscriptions/resourceGroups/write	Creates or updates a resource group, establishing a management boundary for Azure resources.

_catch_all: Azure Resource Manager (catch-all)

Resource provider: Azure-Microsoft.Resources

Description

Catch-all for Azure-Microsoft.Resources rules matching the resource provider but no specific operation.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Resources/deployments/write

Resource provider: Azure-Microsoft.Resources

Description

Creates or updates an ARM template deployment, executing infrastructure-as-code that may provision or modify any Azure resource.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`azure_ad::operation_name_value`	in	`microsoft.resources/deployments/write`	3 rules	kusto
`azure_ad::operation_name_value`	in	`microsoft.compute/virtualmachines/write`	2 rules	kusto
`ActivityStatusValue`	starts_with	`Accept`	2 rules	kusto
`Properties`	contains	`vmsize`	2 rules	kusto
`vmSize`	contains	`token`	2 rules	kusto
`anomalies`	gt	`0`	1 rule	kusto
`baseline`	gt	`0`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Suspicious number of resource creation or deployment activities source medium: Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log. This query generates the baseline pattern of cloud resource creation by an individual and generates an anomaly when any unusual spike is detected. These anomalies from unusual or privileged users could be an indication of a cloud infrastructure takedown by an adversary.
Creation of expensive computes in Azure source low: Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure. An adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes. For Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes Azure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions
NRT Creation of expensive computes in Azure source medium: Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure. An adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes. For Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes Azure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions

Show 1 more (4 total)

Suspicious Resource deployment source low: Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen caller.↳ also matches Microsoft.Resources/subscriptions/resourceGroups/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Resources/subscriptions/resourceGroups/delete

Resource provider: Azure-Microsoft.Resources

Description

Deletes a resource group and all resources it contains; a destructive operation used in denial-of-service or cleanup-after-exfiltration scenarios.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Elastic #

Azure Resource Group Deleted source medium: Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Resources/subscriptions/resourceGroups/write

Resource provider: Azure-Microsoft.Resources

Description

Creates or updates a resource group, establishing a management boundary for Azure resources.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Kusto #

Suspicious Resource deployment source low: Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen caller.↳ also matches Microsoft.Resources/deployments/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Azure Resource Manager Azure-Microsoft.Resources

_catch_all: Azure Resource Manager (catch-all)

Description

Fields #

References #

Microsoft.Resources/deployments/write

Description

Fields #

Common Indicators #

Detection Rules #

Kusto #

References #

Microsoft.Resources/subscriptions/resourceGroups/delete

Description

Fields #

Detection Rules #

Elastic #

References #

Microsoft.Resources/subscriptions/resourceGroups/write

Description

Fields #

Detection Rules #

Kusto #

References #

Keyboard shortcuts

Search operators