Skip to main content

New Azure SP Accessing Resource

This alert occurs when Lacework detects a new Azure user has used an API to access resources for the first time.

Why this Alert is Important

As an Azure administrator, you want to ensure this new user is a valid member of your organization and has the permission to perform this action. A new service principal (SP) accessing a resource may be an indication of a potential security breach. If an unauthorized party gains access to a service principal, they could use it to access sensitive data or perform unauthorized actions.

Investigation

Follow the below steps to investigate the incident:

  1. Review Azure Activity Logs: Azure Activity Logs provide a record of all operations performed on Azure resources, including access by service principals. Review the logs to identify the specific service principal and the resource it accessed.
  2. Verify the identity of the service principal: Ensure that the service principal is a legitimate identity authorized to access the resource. Verify the service principal's name, application ID, and other details to ensure they match those of a trusted application or service.
  3. Review access permissions: Review the access permissions granted to the service principal to ensure they are appropriate and aligned with your organization's security policies. Check the role assignments and access policies to confirm that the service principal has been granted the necessary permissions to access the resource.
  4. Check for any signs of unauthorized access: Look for any signs of unauthorized access or suspicious activity, such as excessive or unusual resource usage, failed login attempts, or changes to resource configurations.
  5. Investigate the source of the incident: Determine the source of the incident by identifying the user or application that created the service principal. Review the Azure AD audit logs to identify any actions performed by the user, such as creating or modifying the service principal.

Resolution

To discover anomalous behavior, we recommend defining a set of expected and accepted behavior. This set helps you determine when unexpected behavior occurs. The definition also helps to reduce the noise level of false positives when monitoring and alerting.

After detecting anomalous behavior, Lacework recommends the following resolutions:

  • Set up risk-based policies.
  • Perform a manual password reset.
  • Search for and select Azure AD Risky users in the Azure portal or the Entra portal, select the affected user, and select Dismiss user(s) risk.