Azure AD Privilege Operation Anomaly
Detection overview
Triggers
- Abnormal Azure AD operations that may be associated with privilege escalation or account takeover.
Possible Root Causes
- Attackers may be escalating privileges and performing admin-level operations after regular account takeover.
- A user whose learned activity baseline has been lost as a result of a prolonged leave of absence or a change in job function has returned to their regular job.
- A user’s role may have evolved as part of a special project or assignment and the user is performing Azure AD activities previously outside of their learned baseline.
Business Impact
- Users substantially deviating from their learned baseline in ways that correspond to threats associated with privilege escalation or account takeover often indicate an adversary foothold.
- Account takeover and privilege escalation can lead to sensitive information leakage, ransomware attacks, and other abuses.
Steps to Verify
- Investigate both the target and result of these operations to understand the potential impact.
Azure AD Privilege Operation Anomaly
Possible root causes
Malicious Detection
Benign Detection
Azure AD Privilege Operation Anomaly
Example scenarios
Azure AD Privilege Operation Anomaly
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure AD Privilege Operation Anomaly
Steps to investigate
Azure AD Privilege Operation Anomaly
Related detections
No items found.