Azure Resource Group Admin Role Unassigned
Detection overview
Triggers
- Removal of a highly permissive role assigned to an entity at the Resource Group level.
Possible Root Causes
- Malicious Activity: An attacker is attempting to isolate access to a Resource Group by removing a legitimate administrator, impairing defenses and disrupting logging visibility.
- Administrative Change: A legitimate administrator is performing authorized changes to permissions.
Business Impact
- An attacker can weaken defenses by removing critical administrative access, compromising the victim's ability to respond effectively.
- Evading detection by disrupting logging and security monitoring mechanisms.
Steps to Verify
- Investigate the Principal: Review the identity that performed the role removal for other signs of malicious activity.
- Check Security Policies: Determine whether the removal of the privileged role was sanctioned according to organizational security policies.
- If Malicious Actions or High-Risk Modifications Are Suspected:
- Disable credentials associated with this alert to prevent further unauthorized access.
- Regrant privileges within the Resource Group as necessary to restore visibility and administrative control.
- Conduct a comprehensive investigation to determine the initial compromise and assess the scope of impacted resources.
Azure Resource Group Admin Role Unassigned
Possible root causes
Malicious Detection
Benign Detection
Azure Resource Group Admin Role Unassigned
Example scenarios
Azure Resource Group Admin Role Unassigned
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Resource Group Admin Role Unassigned
Steps to investigate
Azure Resource Group Admin Role Unassigned
MITRE ATT&CK techniques covered
Azure Resource Group Admin Role Unassigned
Related detections
No items found.