Triggers
- Policy creation or modification by a principal (user or service account) who usually does not perform such actions.
Possible Root Causes
- Unauthorized Access: A compromised principal account is attempting unauthorized modifications to Azure policies.
- Misconfiguration or Human Error: An administrator unintentionally modifies policies, leading to unintended security or operational consequences.
- Unusual Administrative Activity: A legitimate user with elevated privileges is performing policy modifications outside their normal responsibilities.
Business Impact
Modifications to Azure policies can have various consequences depending on the policy effect:
- DeployIfNotExists: May deploy resources that introduce security vulnerabilities or malicious configurations.
- Append: Can enforce settings or tags that weaken security postures.
- Modify: Directly alters resource configurations, potentially leading to misconfigurations.
Steps to Verify
- Check Azure Activity Logs: Investigate the user�s previous activities related to policy management.
- Analyze Context: Review associated resource changes to determine if the activity is legitimate.
- If Malicious Actions or High-Risk Modifications Are Suspected:
- Revert unauthorized policy modifications.
- Disable credentials associated with this alert to prevent further unauthorized changes.
- Conduct a comprehensive investigation to determine the initial compromise and assess the scope of impacted resources.