KQL Search

Query Details

HomeAI ToolsDevice Query

HUNT 01 GPU VM Deployment History

Query

// Hunt     : Hunt - GPU and High-Compute VM Deployment History (90d)
// Tactics  : Impact
// MITRE    : T1496
// Purpose  : Inventory all successful GPU/high-compute VM deployments over the past 90 days. Use to baseline legitimate deployers before tuning Rule-01, and to investigate potential cryptojacking campaigns.
//==========================================================================================

let GPUSKUs = dynamic(["Standard_NC", "Standard_NV", "Standard_ND", "Standard_NP", "Standard_HB", "Standard_HC"]);
AzureActivity
| where TimeGenerated > ago(90d)
| where OperationNameValue has_any ("VIRTUALMACHINES/WRITE", "VIRTUALMACHINESCALESETS/WRITE")
| where ActivityStatusValue =~ "Success"
| where Properties has_any (GPUSKUs)
| project TimeGenerated, Caller, CallerIpAddress, SubscriptionId, ResourceGroup, ResourceId, Properties
| extend SKUHint = extract(@'Standard_(?:NC|NV|ND|NP|HB|HC)[^"]*', 0, Properties)
| order by TimeGenerated desc

Explanation

This query is designed to track and list all successful deployments of GPU or high-compute virtual machines (VMs) over the past 90 days. Here's a simple breakdown of what it does:

  1. Define GPU SKUs: It starts by defining a list of specific GPU and high-compute VM types (SKUs) that are of interest.

  2. Filter Azure Activity Logs: It looks through Azure activity logs for any operations related to creating or updating virtual machines or virtual machine scale sets within the last 90 days.

  3. Success Filter: It only considers operations that were successful.

  4. SKU Match: It checks if the properties of these operations include any of the specified GPU SKUs.

  5. Select Relevant Information: It selects and displays key details about each operation, such as the time it occurred, who initiated it, their IP address, and relevant resource identifiers.

  6. Extract SKU Information: It extracts and adds a hint about the specific SKU used in each operation.

  7. Order Results: Finally, it orders the results by the time the operation was generated, showing the most recent ones first.

The purpose of this query is to create an inventory of legitimate GPU/high-compute VM deployments, which can help in establishing a baseline for normal activity. This baseline can then be used to fine-tune security rules and investigate any unusual activities, such as potential cryptojacking campaigns.

Details

David Alonso profile picture

David Alonso

Released: March 12, 2026

Tables

AzureActivity

Keywords

AzureActivityDevicesVMDeploymentsProperties

Operators

letdynamichas_any=~projectextendextractorder bydesc

Actions