Rare Azure Activity Logs Event Failures

calendar Nov 26, 2025 · Domain: Cloud Data Source: Azure Data Source: Azure Activity Logs Rule Type: ML Rule Type: Machine Learning  ·
Share on: linkedin copy

A machine learning job detected an unusual failure in an Azure Activity Logs message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/10/06"
  3integration = ["azure"]
  4maturity = "production"
  5min_stack_comments = "New job added"
  6min_stack_version = "9.3.0"
  7updated_date = "2025/11/21"
  8
  9[rule]
 10anomaly_threshold = 50
 11author = ["Elastic"]
 12description = """
 13A machine learning job detected an unusual failure in an Azure Activity Logs message. These can be byproducts of attempted or
 14successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.
 15"""
 16false_positives = [
 17    """
 18    Rare and unusual failures may indicate an impending service failure state. Rare and unusual user failure activity can
 19    also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud
 20    automation scripts or workflows, or changes to IAM privileges.
 21    """,
 22]
 23from = "now-2h"
 24interval = "15m"
 25license = "Elastic License v2"
 26machine_learning_job_id = "azure_activitylogs_rare_event_action_on_failure"
 27name = "Rare Azure Activity Logs Event Failures"
 28setup = """## Setup
 29
 30This rule requires the installation of associated Machine Learning jobs, as well as data coming in from Azure Activity Logs.
 31
 32### Anomaly Detection Setup
 33
 34Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
 35
 36### Azure Activity Logs Integration Setup
 37The Azure Activity Logs integration allows you to collect logs and metrics from Azure with Elastic Agent.
 38
 39#### The following steps should be executed in order to add the Elastic Agent System integration "Azure Activity Logs" to your system:
 40- Go to the Kibana home page and click “Add integrations”.
 41- In the query bar, search for “Azure Activity Logs” and select the integration to see more details about it.
 42- Click “Add Azure Activity Logs”.
 43- Configure the integration.
 44- Click “Save and Continue”.
 45- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/reference/integrations/azure/activitylogs).
 46"""
 47references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 48risk_score = 21
 49rule_id = "c17ffbf9-595a-4c0b-a126-aacedb6dd179"
 50severity = "low"
 51tags = [
 52    "Domain: Cloud",
 53    "Data Source: Azure",
 54    "Data Source: Azure Activity Logs",
 55    "Rule Type: ML",
 56    "Rule Type: Machine Learning",
 57]
 58type = "machine_learning"
 59
 60[[rule.threat]]
 61framework = "MITRE ATT&CK"
 62
 63[rule.threat.tactic]
 64id = "TA0007"
 65name = "Discovery"
 66reference = "https://attack.mitre.org/tactics/TA0007/"
 67
 68[[rule.threat.technique]]
 69id = "T1526"
 70name = "Cloud Service Discovery"
 71reference = "https://attack.mitre.org/techniques/T1526/"
 72
 73[[rule.threat.technique]]
 74id = "T1580"
 75name = "Cloud Infrastructure Discovery"
 76reference = "https://attack.mitre.org/techniques/T1580/"
 77
 78[[rule.threat]]
 79framework = "MITRE ATT&CK"
 80
 81[rule.threat.tactic]
 82id = "TA0004"
 83name = "Privilege Escalation"
 84reference = "https://attack.mitre.org/tactics/TA0004/"
 85
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88
 89[rule.threat.tactic]
 90id = "TA0005"
 91name = "Defense Evasion"
 92reference = "https://attack.mitre.org/tactics/TA0005/"
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96
 97[rule.threat.tactic]
 98id = "TA0008"
 99name = "Lateral Movement"
100reference = "https://attack.mitre.org/tactics/TA0008/"
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104
105[rule.threat.tactic]
106id = "TA0003"
107name = "Persistence"
108reference = "https://attack.mitre.org/tactics/TA0003/"
109
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112
113[rule.threat.tactic]
114id = "TA0009"
115name = "Collection"
116reference = "https://attack.mitre.org/tactics/TA0009/"

References

Related rules

to-top