Rulehound

Spike in Azure Activity Logs Failed Messages

Elastic Detection Rules

Summary

The Azure Activity Logs anomaly detection rule monitors for a significant spike in failed message rates within Azure Activity Logs. This spike can indicate potential security threats, such as privilege escalation, lateral movement, or reconnaissance efforts aimed at discovering cloud service configurations. The rule employs machine learning to detect these anomalies, leveraging data from Azure Activity Logs collected via Elastic Agent. It relies on automatically initiated machine learning jobs once activated, and includes configurations to address false positives stemming from benign factors, like bugs in cloud automation or changes in service usage. To utilize this rule, users must integrate Azure Activity Logs into their system. Detailed setup instructions emphasize the importance of configuring the necessary machine learning jobs to ensure effective detection.