Azure Suspicious Policy Assignment
Detection overview
Triggers
- Policy assignment by a principal (user or service account) who usually does not perform such actions.
Possible Root Causes
- Unauthorized Access: A compromised principal is attempting to assign policies without authorization.
- Unusual Administrative Activity: A legitimate principal with elevated privileges is performing policy assignments outside their normal scope of work.
- Human Error or Misconfiguration: Accidental policy assignments due to incorrect configuration or administrative oversight.
Business Impact
- Enforcement of Non-Compliant Policies: Policies that do not align with organizational security or compliance standards may be enforced.
- Disruption of Operations: Restrictive policies may block or disrupt critical business functions.
- Security Vulnerabilities: Misconfigured policies may inadvertently weaken the security posture of the environment.
Steps to Verify
- Review Azure Activity Logs: Investigate the principal�s previous activities related to policy assignments.
- Analyze Context: Review the time of day, location, and associated resource changes to determine if the activity is legitimate.
- If Malicious Actions or High-Risk Modifications Are Suspected:
- Revert unauthorized policy modifications.
- Disable credentials associated with this alert to prevent further unauthorized changes.
- Conduct a comprehensive investigation to determine the initial compromise and assess the scope of impacted resources.
Azure Suspicious Policy Assignment
Possible root causes
Malicious Detection
Benign Detection
Azure Suspicious Policy Assignment
Example scenarios
Azure Suspicious Policy Assignment
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Suspicious Policy Assignment
Steps to investigate
Azure Suspicious Policy Assignment
Related detections
No items found.