Azure Suspicious Policy Remediation Task

Azure Suspicious Policy Remediation Task

Detection overview

Triggers

  • Creation of an Azure Policy remediation task by a user who usually does not perform such actions.

Possible Root Causes

  • Unauthorized Access: A compromised principal is attempting to create a remediation task to exploit Azure resources.
  • Unusual Administrative Activity: A legitimate principal with elevated privileges is performing actions outside their typical scope of work.

Business Impact

  • A remediation task could automatically deploy unwanted resources, such as virtual machines, potentially creating backdoors or exposing sensitive data.
  • Automatic application of configurations could weaken security, such as enabling additional network ports or modifying compliance-critical settings.

Steps to Verify

  • Review Azure Activity Logs: Investigate the user�s previous activities to verify their typical behavior.
  • Analyze Context: Examine the associated policy changes or triggered events to determine if the action is legitimate.
  • Identify Unintended Changes: Look for unexpected resource deployments or configuration modifications triggered by the remediation task.
Azure Suspicious Policy Remediation Task

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious Policy Remediation Task

Example scenarios

Azure Suspicious Policy Remediation Task

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious Policy Remediation Task

Steps to investigate

Azure Suspicious Policy Remediation Task

MITRE ATT&CK techniques covered

Azure Suspicious Policy Remediation Task

Related detections

No items found.

FAQs