Unusual City for an Azure Activity Logs Event

  1[metadata]
  2creation_date = "2025/10/06"
  3integration = ["azure"]
  4maturity = "production"
  5min_stack_comments = "New job added"
  6min_stack_version = "9.3.0"
  7updated_date = "2025/12/08"
  8
  9[rule]
 10anomaly_threshold = 50
 11author = ["Elastic"]
 12description = """
 13A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from
 14a geolocation (city) that is unusual for the event action. This can be the result of compromised credentials or keys being
 15used by a threat actor in a different geography than the authorized user(s).
 16"""
 17false_positives = [
 18    """
 19    New or unusual event and user geolocation activity can be due to manual troubleshooting or reconfiguration;
 20    changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased
 21    adoption of work from home policies; or users who travel frequently.
 22    """,
 23]
 24from = "now-2h"
 25interval = "15m"
 26license = "Elastic License v2"
 27machine_learning_job_id = "azure_activitylogs_rare_event_action_for_a_city"
 28name = "Unusual City for an Azure Activity Logs Event"
 29note = """## Triage and analysis
 30
 31> **Disclaimer**:
 32> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 33
 34### Investigating Unusual City for an Azure Activity Logs Event
 35
 36This rule highlights Azure Activity Logs activity executed from a city atypical for the action, indicating use of valid accounts from a different geography. A common pattern is a threat actor using stolen user or service principal credentials to add privileged role assignments and rapidly spin up compute to stage data exfiltration or mining from overseas. Location–action mismatch surfaces stealthy account abuse before persistence and broader impact.
 37
 38### Possible investigation steps
 39
 40- Identify the principal behind the operation and validate legitimate presence in the region by contacting the user/owner and reviewing travel or business justification.
 41- Enrich the source IP with ASN, hosting/cloud provider, VPN/Tor indicators, reverse DNS, and threat intel to determine whether it originates from anonymizing or compute infrastructure.
 42- Correlate Entra ID sign-in logs for the principal around the timestamp to check impossible travel, MFA usage or bypass, device compliance state, and atypical user-agent strings.
 43- Review adjacent Azure Resource Manager activity by the same principal for privileged changes such as role assignments, policy updates, access key or secret actions, and rapid compute/network provisioning.
 44- Determine whether the actor is a user or service principal, and if a service principal, inspect recent secret/certificate changes, unexpected consent or role grants, and potential credential exposure in CI/CD or repositories.
 45
 46### False positive analysis
 47
 48- A legitimate admin traveling or connecting via a VPN or newly configured egress/NAT gateway can geolocate to an unexpected city while performing routine Azure Activity Logs actions.
 49- Service principal or managed identity automation executing from a different Azure region due to multi-region deployment or failover can egress from a city unusual for the action yet still be authorized.
 50
 51### Response and remediation
 52
 53- Immediately revoke active sessions and refresh tokens for the implicated user or service principal, disable the account or application, and block the observed source IP/CIDR at Azure Firewall and NSGs to contain activity.
 54- Reset the user's password and force MFA re-registration, or for a service principal rotate all client secrets/certificates and remove any recent admin consent grants to eradicate credential reuse.
 55- Revert changes executed from the unusual city by removing newly added role assignments, deleting unexpected VMs/VNets or policy updates, and rotating Storage account keys and Key Vault secrets if they were accessed.
 56- After containment, verify business justification (travel or new egress) and restore any required resources from ARM/Bicep templates or backups, then re-enable access behind Conditional Access with known egress IPs only.
 57- Escalate to Incident Response if the actor performs privileged role grants, Key Vault secret retrieval, Storage key listing, or rapid compute provisioning within the same session, or if sign-in shows impossible travel or missing MFA.
 58- Harden by enforcing PIM for Owner/Contributor/User Access Administrator roles, configuring Conditional Access with country allowlists and named egress IP ranges, restricting service principals to certificate-only auth and Private Link on Key Vault/Storage, and enabling continuous geolocation anomaly alerts in Microsoft Sentinel.
 59"""
 60setup = """## Setup
 61
 62This rule requires the installation of associated Machine Learning jobs, as well as data coming in from Azure Activity Logs.
 63
 64### Anomaly Detection Setup
 65
 66Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
 67
 68### Azure Activity Logs Integration Setup
 69The Azure Activity Logs integration allows you to collect logs and metrics from Azure with Elastic Agent.
 70
 71#### The following steps should be executed in order to add the Elastic Agent System integration "Azure Activity Logs" to your system:
 72- Go to the Kibana home page and click “Add integrations”.
 73- In the query bar, search for “Azure Activity Logs” and select the integration to see more details about it.
 74- Click “Add Azure Activity Logs”.
 75- Configure the integration.
 76- Click “Save and Continue”.
 77- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/reference/integrations/azure/activitylogs).
 78"""
 79references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 80risk_score = 21
 81rule_id = "ce08cdb8-e6cb-46bb-a7cc-16d17547323f"
 82severity = "low"
 83tags = [
 84    "Domain: Cloud",
 85    "Data Source: Azure",
 86    "Data Source: Azure Activity Logs",
 87    "Rule Type: ML",
 88    "Rule Type: Machine Learning",
 89    "Resources: Investigation Guide",
 90]
 91type = "machine_learning"
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95
 96[rule.threat.tactic]
 97id = "TA0001"
 98name = "Initial Access"
 99reference = "https://attack.mitre.org/tactics/TA0001/"
100
101[[rule.threat.technique]]
102id = "T1078"
103name = "Valid Accounts"
104reference = "https://attack.mitre.org/techniques/T1078/"
105
106[[rule.threat.technique.subtechnique]]
107id = "T1078.004"
108name = "Cloud Accounts"
109reference = "https://attack.mitre.org/techniques/T1078/004/"