Suspicious activity

VM administration activity committed by a guest user



Orca detected that an API call to change virtual machine state was made by a guest user - {AzureUser}, the operation was successful. Azure allows an external user to access the company tenant through their regular account by creating a 'guest' identity within the company's Azure Active Directory (AAD). The action may indicate a presence of an unauthorized actor in the cloud environment since guest users usually don't perform administrative activities and their permissions should be very limited. Since guest users are managed outside of the organization, they are exposed to significant risk. To view the whole list of events, check out the Evidence tab.
  • Recommended Mitigation

    It is recommended to review the virtual machine configuration which has changed. In addition, the guest user permissions should be configured according to the least privilege principle. Revoke permissions if possible.