Azure AD Privilege Operation Anomaly

View all detections
Azure AD Privilege Operation Anomaly

Triggers

  • Abnormal Azure AD operations that may be associated with privilege escalation or account takeover.

Possible Root Causes

  • Attackers may be escalating privileges and performing admin-level operations after regular account takeover.
  • A user whose learned activity baseline has been lost as a result of a prolonged leave of absence or a change in job function has returned to their regular job.
  • A user’s role may have evolved as part of a special project or assignment and the user is performing Azure AD activities previously outside of their learned baseline.

Business Impact

  • Users substantially deviating from their learned baseline in ways that correspond to threats associated with privilege escalation or account takeover often indicate an adversary foothold.
  • Account takeover and privilege escalation can lead to sensitive information leakage, ransomware attacks, and other abuses.

Steps to Verify

  • Investigate both the target and result of these operations to understand the potential impact.