This rule detects when Azure VM managed Run Commands are created or updated by an identity that has not recently performed this operation, surfacing potentially unauthorized or unusual activity. Unlike the traditional runCommand/action, the managed Run Command resource is persistent on the VM and executes the supplied script with SYSTEM/root privileges when created or updated. By basing alerts on the acting principal (first-time occurrence within a history window), the rule aims to identify abuse of the managed Run Command surface for persistence or privilege escalation while minimizing noise from routine automation that repeatedly touches the same Run Command. The alert relies on Azure Activity Logs (logs-azure.activitylogs-*) and uses a new-terms approach keyed to the acting principal_id, with a history window to suppress repeated alerts for the same principal. Investigation focuses on the principal identity (User vs ServicePrincipal/Managed Identity), source network context, the target VM/VMSS run command resource, and cross-reference with related VM operations and endpoint telemetry (e.g., WaAppAgent/WALinuxAgent) on the host. Mitre ATT&CK mapping is T1651 (Cloud Administration Command) under Execution, reflecting the potential for cloud-based command execution to achieve persistence, privilege escalation, or command-and-control actions. The rule includes explicit false-positive guidance for IaC/configuration automation and advises exclusions for baseline, authorized principals (e.g., known admins, service principals). Remediation guidance covers revoking or deleting the suspicious Run Command, isolating the VM, rotating credentials with reachable scope, and RBAC/an identity review. References point to Azure Run Command documentation and common abuse patterns. Overall, the rule balances detecting unusual first-time activity with practical steps to validate authorization and respond to potential abuse in Azure VM deployments.