Azure Managed Identity Anomaly

Azure Managed Identity Anomaly

Detection overview

Triggers

  • Successful login attempts using Azure Managed Identity credentials from unusual IP addresses or locations.
  • Usage of Azure Managed Identity to access an unusual subscription, resource type, or service.
  • Usage of Azure Managed Identity to perform operations that are not typically associated with the identity.

Possible Root Causes

  • Compromised Principal: An attacker has gained access to an Azure Managed Identity and is attempting unauthorized access to sensitive resources.
  • Unauthorized Subscription Access: An attacker has obtained valid but unauthorized access to an Azure subscription through a managed identity.
  • Misconfigured Permissions: Incorrectly configured Azure Managed Identity permissions are allowing unintended access.
  • Phishing Attack: Azure users with managed identities have been targeted by phishing attempts, leading to credential compromise.
  • Outdated Security Measures: Legacy configurations or inadequate security controls are allowing unauthorized access.
  • Service Compromise: A possible Azure service using a managed identity has been compromised.
  • Legitimate Configuration Change: A new setting has been applied to services that use an Azure Managed Identity.

Business Impact

  • Unauthorized access to sensitive data and resources, potentially leading to data breaches.
  • Security vulnerabilities exploited due to misconfigured managed identities or services using managed identities.
  • Unplanned changes to business logic or workflows.
  • Potential disruption of critical business services and reputational damage.

Steps to Verify

  • Review Azure Activity Logs: Investigate logs for the suspicious event, focusing on the user/service principal and the Managed Identity activity.
  • Check Permissions: Investigate the user�s or service principal�s permissions and access levels within Azure.
  • Inspect Configuration: Review the Managed Identity configuration and settings for unusual changes.
  • Consult Stakeholders: Work with Azure administrators, security teams, and relevant stakeholders to determine the cause and scope of the incident.
  • Analyze Authentication Events: Review login attempts and successful authentication events linked to the Managed Identity.
  • Perform an Audit: Conduct a thorough audit of Azure subscriptions and resources accessed by the Managed Identity to detect further anomalies.
Azure Managed Identity Anomaly

Possible root causes

Malicious Detection

Benign Detection

Azure Managed Identity Anomaly

Example scenarios

Azure Managed Identity Anomaly

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Managed Identity Anomaly

Steps to investigate

Azure Managed Identity Anomaly

MITRE ATT&CK techniques covered

Azure Managed Identity Anomaly

Related detections

No items found.

FAQs