Suspicious activity

Role assignment administration activity committed by a Managed Identity



Orca detected that an API call to manage a role assignment was made by a managed identity - {AzureServicePrincipal}, the operation was successful. The action may indicate a presence of an unauthorized actor in the cloud environment since Managed Identities usually don't perform administrative activities. Since Managed Identities can be attached to compute resources, their tokens are relatively once an attacker gain access to the machine. To view the whole list of events, check out the Evidence tab.
  • Recommended Mitigation

    It is recommended to review the role assignment which has affected. In addition, the Managed Identity permissions should be configured according to the least privilege principle. Revoke permissions if possible.