Elastic Security Detection Rules

Azure VM Boot Diagnostics Retrieved

Last updated 5 days ago on 2026-06-15
Created 5 days ago on 2026-06-15

About

Identifies retrieval of Azure VM boot diagnostics data ("MICROSOFT.COMPUTE/VIRTUALMACHINES/RETRIEVEBOOTDIAGNOSTICSDATA/ACTION") by an identity that has not performed this operation recently. Boot diagnostics expose the VM serial console log and a console screenshot, which frequently contain plaintext boot-time output such as credentials, tokens, cloud-init/agent secrets, and command history. An adversary with VM read/contributor rights can retrieve this data over the control plane, without logging into the guest or touching the network, to harvest credentials.
Tags
Domain: CloudDomain: EndpointData Source: AzureData Source: Azure Activity LogsUse Case: Threat DetectionTactic: Credential AccessLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

Unsecured Credentials (T1552)(external, opens in a new tab or window)

False Positive Examples
Support engineers, infrastructure-as-code, and VM health automation may legitimately retrieve boot diagnostics during troubleshooting. The first occurrence per principal will alert; baseline expected support users, service principals, and managed identities and exclude them if the activity is verified as authorized.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.activitylogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:azure.activitylogs and
    event.action:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RETRIEVEBOOTDIAGNOSTICSDATA/ACTION" and
    event.outcome:(success or Success)

Install detection rules in Elastic Security

Detect Azure VM Boot Diagnostics Retrieved in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).