This detection rule is designed to identify instances of command execution on virtual machines (VMs) within Microsoft Azure. It focuses on the detection of unauthorized or anomalous use of the Run Command feature associated with Azure Virtual Machines, which allows users to run scripts or commands within the VM's operating system through Azure Portal or through API calls. Leveraging a combination of Azure activity logs and specific user actions, the rule analyzes the context surrounding successful command execution actions to alert on potential threats. It employs Splunk's querying capabilities to retrieve cloud data, particularly targeting the action API endpoint related to VM commands. The rule enhances security posture by monitoring execution events and flagging potentially malicious actions or misuse by legitimate users or threat actors. It specifically indicates potential connections to known threat actor group Storm-1283, highlighting the need for vigilance against specific malicious behaviors in the cloud environment.