Azure Suspicious Policy Remediation Task
Detection overview
Triggers
- Creation of an Azure Policy remediation task by a user who usually does not perform such actions.
Possible Root Causes
- Unauthorized Access: A compromised principal is attempting to create a remediation task to exploit Azure resources.
- Unusual Administrative Activity: A legitimate principal with elevated privileges is performing actions outside their typical scope of work.
Business Impact
- A remediation task could automatically deploy unwanted resources, such as virtual machines, potentially creating backdoors or exposing sensitive data.
- Automatic application of configurations could weaken security, such as enabling additional network ports or modifying compliance-critical settings.
Steps to Verify
- Review Azure Activity Logs: Investigate the user�s previous activities to verify their typical behavior.
- Analyze Context: Examine the associated policy changes or triggered events to determine if the action is legitimate.
- Identify Unintended Changes: Look for unexpected resource deployments or configuration modifications triggered by the remediation task.
Azure Suspicious Policy Remediation Task
Possible root causes
Malicious Detection
Benign Detection
Azure Suspicious Policy Remediation Task
Example scenarios
Azure Suspicious Policy Remediation Task
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Suspicious Policy Remediation Task
Steps to investigate
Azure Suspicious Policy Remediation Task
MITRE ATT&CK techniques covered
Azure Suspicious Policy Remediation Task
Related detections
No items found.