Azure Suspicious Policy Creation or Modification

Triggers

• Policy creation or modification by a principal (user or service account) who usually does not perform such actions.

Possible Root Causes

• Unauthorized Access: A compromised principal account is attempting unauthorized modifications to Azure policies.
• Misconfiguration or Human Error: An administrator unintentionally modifies policies, leading to unintended security or operational consequences.
• Unusual Administrative Activity: A legitimate user with elevated privileges is performing policy modifications outside their normal responsibilities.

Business Impact

Modifications to Azure policies can have various consequences depending on the policy effect:

• DeployIfNotExists: May deploy resources that introduce security vulnerabilities or malicious configurations.
• Append: Can enforce settings or tags that weaken security postures.
• Modify: Directly alters resource configurations, potentially leading to misconfigurations.

Steps to Verify

• Check Azure Activity Logs: Investigate the user�s previous activities related to policy management.
• Analyze Context: Review associated resource changes to determine if the activity is legitimate.
• If Malicious Actions or High-Risk Modifications Are Suspected:
  • Revert unauthorized policy modifications.
  • Disable credentials associated with this alert to prevent further unauthorized changes.
  • Conduct a comprehensive investigation to determine the initial compromise and assess the scope of impacted resources.