Skip to main content

New Azure Subscription Created

This alert occurs when Lacework detects a new Azure user has created a subscription for the first time.

Why this Alert is Important

As an Azure administrator, you want to ensure this new user is a valid member of your organization and is authorized to create a new subscription. Unauthorized or unapproved subscription creation can result in unmanaged resources, unexpected costs, and security vulnerabilities.

Investigation

A new Azure subscription can indicate a potential security risk or compliance issue. Here are some steps you can take to investigate:

  • Review Azure Activity Logs: The Azure Activity Logs contain detailed information about all the activities performed on Azure resources. Check the logs for any suspicious activities related to the creation of the new subscription, such as unauthorized access attempts or changes to resource permissions.
  • Review Audit Logs: Check the audit logs for the resource group or management group that the subscription is associated with. Look for any changes or activities that may indicate malicious activity, such as new virtual machines, storage accounts, or network resources.
  • Check Access Control: Review the access control settings for the subscription, and ensure that all permissions are appropriate and necessary. If there are any permissions that are not required, revoke them.
  • Investigate Subscription Creation: Check the date when the new subscription was created, who created it, and what permissions were assigned to it. If the subscription was created by an unauthorized user or has permissions that are not necessary, revoke them and investigate the incident further.
  • Run Vulnerability Scans: Run vulnerability scans on the new subscription to identify any potential security vulnerabilities or weaknesses.

Resolution

After detecting anomalous behavior, Lacework recommends the following resolutions:

  • Immediately disable the subscription. This will prevent further malicious activity and protect your resources from further damage.
  • Investigate the incident to determine the scope of the attack, the potential damage, and the root cause. This may involve reviewing access logs, auditing resources, and performing forensic analysis.
  • Identify and delete any resources that have been created or used maliciously. This may include virtual machines, storage accounts, or network resources.
  • If the malicious activity was caused by compromised credentials, reset the credentials associated with the subscription, including all service accounts and administrative accounts.
  • Enable Azure Security Center to identify and remediate security issues, and to provide ongoing monitoring and alerts for potential security threats.
  • Review your security policies and update them as necessary to prevent similar incidents from happening in the future. This may include strengthening access controls, implementing multi-factor authentication, or increasing monitoring of your Azure resources.