{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/anomaly-detection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["azure","cloud","anomaly-detection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies Azure Activity Logs activity originating from a city that is atypical for the specific event action being performed. The underlying mechanism is a machine learning job, \u003ccode\u003eazure_activitylogs_rare_event_action_for_a_city_ea\u003c/code\u003e, designed to surface anomalous geolocation patterns. The rule is triggered when the anomaly score exceeds 50. Such deviations can indicate compromised credentials used by an attacker operating from a different geography than the authorized user. This activity can be an early indicator of account abuse, potentially preceding broader impact such as data exfiltration or resource exploitation. The rule is designed to be used with Elastic Stack version 9.4.0 and later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e An attacker obtains valid Azure credentials (username/password or service principal keys) through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker uses the compromised credentials to log in to the Azure environment from an unusual geographic location (city).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eActivity Log Generation:\u003c/strong\u003e The login and subsequent actions generate Azure Activity Logs entries.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Access/Modification:\u003c/strong\u003e The attacker performs actions such as adding privileged role assignments, creating virtual machines, modifying network configurations, or accessing Key Vault secrets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Potential):\u003c/strong\u003e The attacker may use the initially compromised account to discover and access other resources or accounts within the Azure environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Resource Exploitation (Potential):\u003c/strong\u003e The attacker exfiltrates sensitive data or uses compromised resources for malicious purposes like cryptocurrency mining.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, modification of critical infrastructure, and deployment of malicious resources within the Azure environment. The impact can range from data breaches and financial losses to disruption of services. While the risk score of this detection is low, further investigation is required to determine the extent and nature of the malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the associated Machine Learning job (\u003ccode\u003eazure_activitylogs_rare_event_action_for_a_city_ea\u003c/code\u003e) and ensure that the Azure Activity Logs integration is properly configured to provide the necessary data.\u003c/li\u003e\n\u003cli\u003eReview the investigation guide within the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field to understand possible investigation steps, including validating user presence in the region and enriching the source IP.\u003c/li\u003e\n\u003cli\u003eImplement response and remediation steps outlined in the rule \u003ccode\u003enote\u003c/code\u003e field such as revoking active sessions, resetting passwords, and reverting changes executed from the unusual city.\u003c/li\u003e\n\u003cli\u003eConfigure Conditional Access policies with country allowlists and named egress IP ranges, as recommended in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field, to prevent logins from unexpected locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:35:13Z","date_published":"2026-04-02T13:35:13Z","id":"/briefs/2026-06-unusual-azure-city/","summary":"A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the event action, indicating potential compromised credentials.","title":"Unusual City for Azure Activity Logs Event","url":"https://feed.craftedsignal.io/briefs/2026-06-unusual-azure-city/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access-detection","anomaly-detection","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief describes the detection of unusual privileged access activity in Windows environments. The detection leverages a machine learning model (\u0026ldquo;pad_windows_rare_device_by_user_ea\u0026rdquo;) designed to identify deviations from typical host usage patterns. Specifically, it flags instances where a user performs privileged operations from a device not commonly associated with that user. This activity can indicate a compromised account where an attacker is using stolen credentials or an insider threat attempting to escalate privileges from an unauthorized device. The detection is part of the Elastic Privileged Access Detection (PAD) integration and focuses on Windows events collected by Elastic Defend and Windows integrations. The PAD integration requires Fleet and properly configured agents. The anomaly_threshold is set to 75.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a valid user account, potentially through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into a Windows system using the compromised account from a device that is not typically used by that user.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute privileged operations on the system, such as installing software, modifying system settings, or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eWindows logs capture the privileged operations being performed by the user account from the unusual device.\u003c/li\u003e\n\u003cli\u003eThe Elastic Privileged Access Detection (PAD) integration analyzes the logs using its machine learning model (\u0026ldquo;pad_windows_rare_device_by_user_ea\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe ML model identifies the activity as anomalous based on the rarity of the device being used by the user for privileged operations.\u003c/li\u003e\n\u003cli\u003eA detection rule triggers, flagging the unusual activity as a potential privileged access attempt.\u003c/li\u003e\n\u003cli\u003eThe security team investigates to determine whether the activity is malicious or a legitimate use case (e.g., user working from a new device).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to privilege escalation, allowing the attacker to gain control of the system and potentially the entire network. This can result in data breaches, system compromise, and disruption of services. The severity is rated as low because the detection relies on anomalies and requires further investigation to confirm malicious intent. Identifying unusual access patterns early can prevent more severe incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Privileged Access Detection integration is installed and properly configured, including the preconfigured anomaly detection jobs, as outlined in the \u003ca href=\"#setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the \u0026ldquo;Unusual Host Name for Windows Privileged Operations Detected\u0026rdquo; rule, focusing on the specific user and host involved, per the \u003ca href=\"#triage-and-analysis\"\u003einvestigation guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for privileged accounts to mitigate the risk of unauthorized access even if credentials are compromised, as mentioned in the \u003ca href=\"#response-and-remediation\"\u003eresponse and remediation\u003c/a\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and update access controls and permissions to ensure that only authorized devices and users can perform privileged operations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-02-unusual-windows-privileged-access/","summary":"A machine learning job has identified a user performing privileged operations in Windows from an uncommon device, indicating potential privileged access activity associated with compromised accounts or insider threats.","title":"Unusual Host Name for Windows Privileged Operations Detected via ML","url":"https://feed.craftedsignal.io/briefs/2024-01-02-unusual-windows-privileged-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Anomaly-Detection","version":"https://jsonfeed.org/version/1.1"}