The rule detects Azure VM Serial Console connections by examining Azure Activity Logs for a MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION operation that succeeded, where the acting principal (user or service principal) and the source ASN have not appeared together in the history window. Serial Console sessions run outside the VM’s network path, bypassing NSGs and JIT controls, enabling interactive SYSTEM (Windows) or root (Linux) access. The rule flags new or unusual principal/ASN pairings within the last 7 days (with a 9-minute lookback for current events), indicating potential misuse by an attacker possessing privileged Azure RBAC roles (e.g., Virtual Machine Contributor) or a compromised identity. It maps to MITRE ATT&CK techniques such as T1021.008 Direct Cloud VM Connections (Lateral Movement) and T1078.004 Cloud Accounts (Initial Access). The rule includes risk scoring (medium, 47) and provides triage guidance, investigation steps, and remediation actions to determine legitimacy, contain impact, and minimize exposure, including disabling serial console when not required and rotating credentials if unauthorized. False positives may occur when administrators legitimately troubleshoot VM reachability failures; such cases should be whitelisted after verification. The rule is designed to help detect cloud-based abuse of VM console access, not standard admin operations, and supports rapid containment and forensic follow-up through correlated identity, RBAC, and network-origin data.