https://feed.craftedsignal.io/tags/anomaly-detection/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 02 Apr 2026 13:35:13 +0000https://feed.craftedsignal.io/briefs/2026-06-unusual-azure-city/Thu, 02 Apr 2026 13:35:13 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-unusual-azure-city/A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the event action, indicating potential compromised credentials.This detection identifies Azure Activity Logs activity originating from a city that is atypical for the specific event action being performed. The underlying mechanism is a machine learning job, azure_activitylogs_rare_event_action_for_a_city_ea, designed to surface anomalous geolocation patterns. The rule is triggered when the anomaly score exceeds 50. Such deviations can indicate compromised credentials used by an attacker operating from a different geography than the authorized user. This activity can be an early indicator of account abuse, potentially preceding broader impact such as data exfiltration or resource exploitation. The rule is designed to be used with Elastic Stack version 9.4.0 and later.

Attack Chain

1. Credential Compromise: An attacker obtains valid Azure credentials (username/password or service principal keys) through phishing, credential stuffing, or other means.
2. Initial Access: The attacker uses the compromised credentials to log in to the Azure environment from an unusual geographic location (city).
3. Activity Log Generation: The login and subsequent actions generate Azure Activity Logs entries.
4. Resource Access/Modification: The attacker performs actions such as adding privileged role assignments, creating virtual machines, modifying network configurations, or accessing Key Vault secrets.
5. Lateral Movement (Potential): The attacker may use the initially compromised account to discover and access other resources or accounts within the Azure environment.
6. Data Exfiltration/Resource Exploitation (Potential): The attacker exfiltrates sensitive data or uses compromised resources for malicious purposes like cryptocurrency mining.

Impact

A successful attack can lead to unauthorized access to sensitive data, modification of critical infrastructure, and deployment of malicious resources within the Azure environment. The impact can range from data breaches and financial losses to disruption of services. While the risk score of this detection is low, further investigation is required to determine the extent and nature of the malicious activity.

Recommendation

• Enable the associated Machine Learning job (azure_activitylogs_rare_event_action_for_a_city_ea) and ensure that the Azure Activity Logs integration is properly configured to provide the necessary data.
• Review the investigation guide within the rule’s note field to understand possible investigation steps, including validating user presence in the region and enriching the source IP.
• Implement response and remediation steps outlined in the rule note field such as revoking active sessions, resetting passwords, and reverting changes executed from the unusual city.
• Configure Conditional Access policies with country allowlists and named egress IP ranges, as recommended in the rule’s note field, to prevent logins from unexpected locations.

]]>lowadvisoryazurecloudanomaly-detectionhttps://feed.craftedsignal.io/briefs/2024-01-02-unusual-windows-privileged-access/Tue, 02 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-unusual-windows-privileged-access/A machine learning job has identified a user performing privileged operations in Windows from an uncommon device, indicating potential privileged access activity associated with compromised accounts or insider threats.This threat brief describes the detection of unusual privileged access activity in Windows environments. The detection leverages a machine learning model (“pad_windows_rare_device_by_user_ea”) designed to identify deviations from typical host usage patterns. Specifically, it flags instances where a user performs privileged operations from a device not commonly associated with that user. This activity can indicate a compromised account where an attacker is using stolen credentials or an insider threat attempting to escalate privileges from an unauthorized device. The detection is part of the Elastic Privileged Access Detection (PAD) integration and focuses on Windows events collected by Elastic Defend and Windows integrations. The PAD integration requires Fleet and properly configured agents. The anomaly_threshold is set to 75.

Attack Chain

1. An attacker gains unauthorized access to a valid user account, potentially through phishing, credential stuffing, or other means.
2. The attacker logs into a Windows system using the compromised account from a device that is not typically used by that user.
3. The attacker attempts to execute privileged operations on the system, such as installing software, modifying system settings, or accessing sensitive data.
4. Windows logs capture the privileged operations being performed by the user account from the unusual device.
5. The Elastic Privileged Access Detection (PAD) integration analyzes the logs using its machine learning model (“pad_windows_rare_device_by_user_ea”).
6. The ML model identifies the activity as anomalous based on the rarity of the device being used by the user for privileged operations.
7. A detection rule triggers, flagging the unusual activity as a potential privileged access attempt.
8. The security team investigates to determine whether the activity is malicious or a legitimate use case (e.g., user working from a new device).

Impact

A successful attack could lead to privilege escalation, allowing the attacker to gain control of the system and potentially the entire network. This can result in data breaches, system compromise, and disruption of services. The severity is rated as low because the detection relies on anomalies and requires further investigation to confirm malicious intent. Identifying unusual access patterns early can prevent more severe incidents.

Recommendation

• Ensure the Privileged Access Detection integration is installed and properly configured, including the preconfigured anomaly detection jobs, as outlined in the setup instructions.
• Investigate alerts generated by the “Unusual Host Name for Windows Privileged Operations Detected” rule, focusing on the specific user and host involved, per the investigation guide.
• Implement multi-factor authentication (MFA) for privileged accounts to mitigate the risk of unauthorized access even if credentials are compromised, as mentioned in the response and remediation section.
• Review and update access controls and permissions to ensure that only authorized devices and users can perform privileged operations.

]]>lowadvisoryprivileged-access-detectionanomaly-detectionwindows