Suspicious activity

Managed Identity administration activity committed by a Managed Identity



Orca detected that an API call to manage user assigned managed identity made by a managed identity - {AzureServicePrincipal}, the operation was successful. The action may indicate a presence of an unauthorized actor in the cloud environment since Managed Identities usually don't perform administrative activities. Since Managed Identities can be attached to compute resources, their tokens are relatively once an attacker gain access to the machine. To view the whole list of events, check out the Evidence tab.