Azure Resource Group Admin Role Unassigned

Azure Resource Group Admin Role Unassigned

Detection overview

Triggers

  • Removal of a highly permissive role assigned to an entity at the Resource Group level.

Possible Root Causes

  • Malicious Activity: An attacker is attempting to isolate access to a Resource Group by removing a legitimate administrator, impairing defenses and disrupting logging visibility.
  • Administrative Change: A legitimate administrator is performing authorized changes to permissions.

Business Impact

  • An attacker can weaken defenses by removing critical administrative access, compromising the victim's ability to respond effectively.
  • Evading detection by disrupting logging and security monitoring mechanisms.

Steps to Verify

  • Investigate the Principal: Review the identity that performed the role removal for other signs of malicious activity.
  • Check Security Policies: Determine whether the removal of the privileged role was sanctioned according to organizational security policies.
  • If Malicious Actions or High-Risk Modifications Are Suspected:
    • Disable credentials associated with this alert to prevent further unauthorized access.
    • Regrant privileges within the Resource Group as necessary to restore visibility and administrative control.
    • Conduct a comprehensive investigation to determine the initial compromise and assess the scope of impacted resources.
Azure Resource Group Admin Role Unassigned

Possible root causes

Malicious Detection

Benign Detection

Azure Resource Group Admin Role Unassigned

Example scenarios

Azure Resource Group Admin Role Unassigned

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Resource Group Admin Role Unassigned

Steps to investigate

Azure Resource Group Admin Role Unassigned

MITRE ATT&CK techniques covered

Azure Resource Group Admin Role Unassigned

Related detections

No items found.

FAQs