Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-azure-activity-log-detections
Overview
3Dashboards
36Benchmarks
43Queries
1Variables
GitHub

Detection: Compute VM Role Assignment Created or Updated

Overview

Detect when a role assignment for an Azure Compute virtual machine was created or updated. Role assignment changes can impact access control, potentially granting or revoking permissions for critical resources. Monitoring these updates ensures proper governance and helps prevent unauthorized access to VMs.

References:

Usage

Run the detection in your terminal:

powerpipe detection run azure_activity_log_detections.detection.compute_vm_role_assignment_created_or_updated

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run azure_activity_log_detections.detection.compute_vm_role_assignment_created_or_updated --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
operation_name as operation,
resource_id as resource,
caller as actor,
tp_index::varchar as subscription_id,
resource_group_name as resource_group,
tp_id as source_id,
status as event_status,
*


from
  azure_activity_log
where
  operation_name = 'Microsoft.Authorization/roleAssignments/write'
  and resource_type = 'Microsoft.Compute/virtualMachines'
  and status = 'Succeeded'


order by
  timestamp desc;

Tags

category = Detections
folder = Compute
mitre_attack_ids = TA0003:T1078.004
plugin = azure
service = Azure/Compute