Azure Suspicious Policy Assignment

Azure Suspicious Policy Assignment

Detection overview

Triggers

  • Policy assignment by a principal (user or service account) who usually does not perform such actions.

Possible Root Causes

  • Unauthorized Access: A compromised principal is attempting to assign policies without authorization.
  • Unusual Administrative Activity: A legitimate principal with elevated privileges is performing policy assignments outside their normal scope of work.
  • Human Error or Misconfiguration: Accidental policy assignments due to incorrect configuration or administrative oversight.

Business Impact

  • Enforcement of Non-Compliant Policies: Policies that do not align with organizational security or compliance standards may be enforced.
  • Disruption of Operations: Restrictive policies may block or disrupt critical business functions.
  • Security Vulnerabilities: Misconfigured policies may inadvertently weaken the security posture of the environment.

Steps to Verify

  • Review Azure Activity Logs: Investigate the principal�s previous activities related to policy assignments.
  • Analyze Context: Review the time of day, location, and associated resource changes to determine if the activity is legitimate.
  • If Malicious Actions or High-Risk Modifications Are Suspected:
    • Revert unauthorized policy modifications.
    • Disable credentials associated with this alert to prevent further unauthorized changes.
    • Conduct a comprehensive investigation to determine the initial compromise and assess the scope of impacted resources.
Azure Suspicious Policy Assignment

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious Policy Assignment

Example scenarios

Azure Suspicious Policy Assignment

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious Policy Assignment

Steps to investigate

Azure Suspicious Policy Assignment

MITRE ATT&CK techniques covered

Azure Suspicious Policy Assignment

Related detections

No items found.

FAQs