Azure Suspicious Policy Creation or Modification

Azure Suspicious Policy Creation or Modification

Detection overview

Triggers

  • Policy creation or modification by a principal (user or service account) who usually does not perform such actions.

Possible Root Causes

  • Unauthorized Access: A compromised principal account is attempting unauthorized modifications to Azure policies.
  • Misconfiguration or Human Error: An administrator unintentionally modifies policies, leading to unintended security or operational consequences.
  • Unusual Administrative Activity: A legitimate user with elevated privileges is performing policy modifications outside their normal responsibilities.

Business Impact

Modifications to Azure policies can have various consequences depending on the policy effect:

  • DeployIfNotExists: May deploy resources that introduce security vulnerabilities or malicious configurations.
  • Append: Can enforce settings or tags that weaken security postures.
  • Modify: Directly alters resource configurations, potentially leading to misconfigurations.

Steps to Verify

  • Check Azure Activity Logs: Investigate the user�s previous activities related to policy management.
  • Analyze Context: Review associated resource changes to determine if the activity is legitimate.
  • If Malicious Actions or High-Risk Modifications Are Suspected:
    • Revert unauthorized policy modifications.
    • Disable credentials associated with this alert to prevent further unauthorized changes.
    • Conduct a comprehensive investigation to determine the initial compromise and assess the scope of impacted resources.
Azure Suspicious Policy Creation or Modification

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious Policy Creation or Modification

Example scenarios

Azure Suspicious Policy Creation or Modification

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious Policy Creation or Modification

Steps to investigate

Azure Suspicious Policy Creation or Modification

MITRE ATT&CK techniques covered

Azure Suspicious Policy Creation or Modification

Related detections

No items found.

FAQs