Azure Admin Activity Anomaly

Detects new administrative actions performed by account or on actions performed on multiple targets simultaneously. Oort detects recent administrative actions within the past 90 days, alerting on those performed by an account on 10 or more targets within a 10-minute period.

Adversaries may create/modify an account to maintain access to victim systems or to modify the configuration settings to evade defenses and/or escalate privileges.

Recommended Actions

Verify with the account the reason for the changes.

Please note that many alerts will represent accounts/application lifecycle (join/leave/move) so it's important to check the context of the action.

Default Check Settings

numberOfDistinctTargets: 10

timeframeMinutes: 10


Microsoft Entra ID

Last updated