Suspicious activity

VM administration activity committed by a Managed Identity

Platform(s)

Description

Orca detected that an API call to change virtual machine state made by a managed identity - {AzureServicePrincipal}, the operation was successful. The action may indicate a presence of an unauthorized actor in the cloud environment since Managed Identities usually don't perform administrative activities. Since Managed Identities can be attached to compute resources, their tokens are relatively once an attacker gain access to the machine. To view the whole list of events, check out the Evidence tab.
  • Recommended Mitigation

    It is recommended to review the virtual machines which has affected. In addition, the Managed Identity permissions should be configured according to the least privilege principle. Revoke permissions if possible.