This rule detects the execution of commands on Azure virtual machines (VMs) via various methods such as RunCommand, VM extensions (CustomScriptExtension and DSC), gallery applications, AKS command invocation, VM Scale Set (VMSS) run commands, and serial console access. Adversaries may exploit these functionalities to run unauthorized commands, deploy malicious software, establish persistence, or conduct lateral movement within the cloud environment. The rule is currently tagged as 'Experimental' and aims to enhance monitoring for suspicious activities related to command execution that could indicate potential threats against Azure-based workloads. To verify inclusivity and legitimacy of command executions, pertinent Azure Monitor activity logs should be queried for a defined timeframe surrounding the detection event, along with checks for prior suspicious activities by the same caller IP address.