Outdated hunting query for AzureRunCommandMDELinked

[mgijo]

Describe the bug
The existing hunting query for Azure VM Run Command linked with MDE located here is outdated https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AzureRunCommandMDELinked.yaml

To Reproduce
I tried executing this in my environment and don't see any results. I have made few changes to the query that helped me get some results. But again the KQL line that mentions | where PowershellFileCreatedTimestamp between (StartTime .. EndTime) probably needs fixing. Some other fixes I found that needs to be done with this hunting query:-

1. From | where OperationNameValue == "Microsoft.Compute/virtualMachines/runCommand/action" to | where OperationNameValue =~ "Microsoft.Compute/virtualMachines/runCommand/action"
2. From | where list_ActivityStatusValue has "Succeeded" to | where list_ActivityStatusValue has "Success"

This query seems to be outdated since it was built 4 years ago. I would recommend a review and fix on this.

[v-visodadasi]

Hi @mgijo , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[v-visodadasi]

@mgijo, To help us investigate and resolve the problem, could you please share the relevant logs from your environment? Specifically, we need logs that include:
OperationNameValue: Logs related to Microsoft.Compute/virtualMachines/runCommand/action.
ActivityStatusValue: Logs indicating the status of the operations, especially those with "Success".
Additionally, if you have any other logs or details that you think might be helpful, please include those as well.

[v-visodadasi]

@mgijo , Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive response by 10-02-2025, we will close this issue.

[mgijo]

@mgijo, To help us investigate and resolve the problem, could you please share the relevant logs from your environment? Specifically, we need logs that include: OperationNameValue: Logs related to Microsoft.Compute/virtualMachines/runCommand/action. ActivityStatusValue: Logs indicating the status of the operations, especially those with "Success". Additionally, if you have any other logs or details that you think might be helpful, please include those as well.

Sure, I can share. Could you provide a secure upload location for these logs? I am not comfortable uploading raw logs to public Github. Thanks!

[v-visodadasi]

@mgijo, Thanks for your reply!
You can share it to [email protected]

[v-visodadasi]

@mgijo, Colud you please share relevant logs ASAP!

[v-visodadasi]

@mgijo , Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive response by 18-02-2025, we will close this issue.

[v-visodadasi]

@mgijo , Since we have not received a response in the last 5 days, we are closing your issue as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation!