Skip to main content

New Azure User Performed Operation on Resource for the First Time

This alert occurs when Lacework detects a user has performed operations on a resource for the first time.

Why this Alert is Important

As an Azure admin, you want to ensure that these operations are authorized and are within the permissions granted to this user.

Investigation

Conduct a security audit on the suspicious Azure resource, including:

  • Review the Activity log to identity operations within the detected timeframe, for example, creating a new resource or starting a virtual machine.
  • Review the resource log to gain more insight into operations performed by an Azure resource. Operation examples might be getting a secret from a key vault or making a request to a database. Resource logs are generated automatically, but you must create a diagnostic setting to send them to Azure Monitor Logs.
  • Review the resource entity page for basic details about the resource, such as location, creation timestamp, the associated resource group and associated tags, as well as info related to access management, such as who has permission to access this resource and what networks are allowed access to it.

Resolution

After detecting anomalous behavior, Lacework recommends the following resolutions:

  • Suspend or revoke the user's access.
  • Investigate their activity to identify any unauthorized actions they may have taken. You can review the Azure Activity Logs, diagnostic logs, and other security logs to identify any suspicious activity or anomalies.
  • If the malicious user has caused any damage, such as deleting or modifying resources, take steps to contain the damage and restore affected resources from backups if necessary.
  • It is recommended to change all passwords associated with the affected user account and enable MFA to prevent unauthorized access to Azure resources.
  • To prevent similar incidents from occurring in the future, consider implementing stronger security controls, such as role-based access control (RBAC), network security groups, and Azure Security Center. You can also monitor Azure resources for suspicious activity using Azure Sentinel or other security tools.