Unusual Azure Activity Logs Event for a User

Last updated 14 days ago on 2025-11-21

Created 2 months ago on 2025-10-06

About

A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from user context that does not normally use the event action. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.

Tags

Domain: CloudData Source: AzureData Source: Azure Activity LogsRule Type: MLRule Type: Machine Learning

Severity

low

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

Lateral Movement (TA0008)(opens in a new tab or window)

↳ Remote Services (T1021)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

Exfiltration (TA0010)(opens in a new tab or window)

↳ Exfiltration Over C2 Channel (T1041)(opens in a new tab or window)

False Positive Examples

New or unusual user event activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Machine Learning
Integration Pack: Prebuilt Security Detection Rules
Related Integrations: azure(opens in a new tab or window)
Query

Install detection rules in Elastic Security

Detect Unusual Azure Activity Logs Event for a User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).