Suspicious activity

VM administration activity committed by a Managed Identity

Platform(s)

Description

Orca detected that an API call to change virtual machine state made by a managed identity - {AzureServicePrincipal}, the operation was successful. The action may indicate a presence of an unauthorized actor in the cloud environment since Managed Identities usually don't perform administrative activities. Since Managed Identities can be attached to compute resources, their tokens are relatively once an attacker gain access to the machine. To view the whole list of events, check out the Evidence tab.
Need help?

Get a free Security Risk Assessment. Start today

Orca Security Demo Demo the Orca Platform-> In just 10 minutes, you’ll see how Orca Security can revolutionize your cloud security strategy. Watch a recorded demo from a cloud security expert now.