Azure AD Privilege Operation Anomaly

Azure AD Privilege Operation Anomaly

Detection overview

Triggers

  • Abnormal Azure AD operations that may be associated with privilege escalation or account takeover.

Possible Root Causes

  • Attackers may be escalating privileges and performing admin-level operations after regular account takeover.
  • A user whose learned activity baseline has been lost as a result of a prolonged leave of absence or a change in job function has returned to their regular job.
  • A user’s role may have evolved as part of a special project or assignment and the user is performing Azure AD activities previously outside of their learned baseline.

Business Impact

  • Users substantially deviating from their learned baseline in ways that correspond to threats associated with privilege escalation or account takeover often indicate an adversary foothold.
  • Account takeover and privilege escalation can lead to sensitive information leakage, ransomware attacks, and other abuses.

Steps to Verify

  • Investigate both the target and result of these operations to understand the potential impact.
Azure AD Privilege Operation Anomaly

Possible root causes

Malicious Detection

Benign Detection

Azure AD Privilege Operation Anomaly

Example scenarios

Azure AD Privilege Operation Anomaly

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure AD Privilege Operation Anomaly

Steps to investigate

Azure AD Privilege Operation Anomaly

MITRE ATT&CK techniques covered

Azure AD Privilege Operation Anomaly

Related detections

No items found.

FAQs