Hunting For Dead Azure Machines
TLDR: Decom your test machines properly! Hashes are still useful after the machine is gone New Toys are fun 20,266 logins in 12 hours! Should be enough to get started. I managed to use the logs to build out some nice rules and hunting query’s pulling in data from OTX (Tor nodes, Known bad IPS). Thought this would be the end of this and shut it all down. Out of curiosity I started to look at the usernames logging on, messed up the KQL query and sorted by smallest rather than largest…...