* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Posture Security](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/)
* Azure-Specific Policies t...

# Azure-Specific Policies to Detect Suspicious Operations in the Cloud Environment

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fanomaly-detection-policies-azure%2F)  
[](https://twitter.com/share?text=Azure-Specific+Policies+to+Detect+Suspicious+Operations+in+the+Cloud+Environment&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fanomaly-detection-policies-azure%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fanomaly-detection-policies-azure%2F&title=Azure-Specific+Policies+to+Detect+Suspicious+Operations+in+the+Cloud+Environment&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/anomaly-detection-policies-azure/&ts=markdown)  
\[\](mailto:?subject=Azure-Specific Policies to Detect Suspicious Operations in the Cloud Environment)  
Link copied  
By [Venkatesh Pappakrishnan](https://www.paloaltonetworks.com/blog/author/venkatesh-pappakrishnan/?ts=markdown "Posts by Venkatesh Pappakrishnan"), [Alok Tongaonkar](https://www.paloaltonetworks.com/blog/author/alok-tongaonkar/?ts=markdown "Posts by Alok Tongaonkar"), [Praveen Herrur](https://www.paloaltonetworks.com/blog/author/praveen-herrur/?ts=markdown "Posts by Praveen Herrur") and [Farid Arbai](https://www.paloaltonetworks.com/blog/author/farid-arbai/?ts=markdown "Posts by Farid Arbai")  
Apr 20, 2023  
5 minutes  
[Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)  
[Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)  
[Threat Detection](https://www.paloaltonetworks.com/blog/tag/threat-detection/?ts=markdown)

Exploiting privileged operations for malicious intent is one of the biggest threats in the public cloud. Such operations allow bad actors to perform a range of attack techniques, such as lateral movement, credential access, and data exfiltration.

Imagine that a privileged user account has been compromised. The attacker might use the user's permissions to remotely run commands to an active virtual machine and log into it. The attacker could then use the permissions of the machine to modify the routing tables in the network and directly access a remote server to perform data exfiltration.

In this scenario, organizations can be alerted to suspicious operations at many stages of the attack. The activity of a user executing a RunCommand operation points to lateral movement, while the activity of a virtual machine modifying the network route table indicates defense evasion.

The timely detection and containment of security threats rely on anomaly policies that issue high-fidelity alerts for suspicious operations --- and free security teams to investigate and remediate critical incidents.

## Introducing New Anomaly Detection Policies

In our ongoing expansion of threat detection capabilities, as we keep pace with the evolving threat landscape, Prisma Cloud has added eight new anomaly policies to detect suspicious operations for Azure^®^ environments.

Of the eight policies, six focus on activities originating from Azure compute workloads, and the remaining two policies focus on activities originating from Azure users. Based on policy results, security alerts are triggered, with operations detected having a high fidelity for malicious activity.

### Azure Compute Workload Assigning Roles to Resources

This policy detects an Azure Compute workload assigning a role to a resource, resource group, or subscription. Azure provides mechanisms to define and assign roles to control elevated permissions. Adversaries may circumvent these mechanisms to gain higher-level permissions.

### Azure Compute Workload Modifying Key Vault Configurations

Attackers commonly attempt to steal secrets to elevate their permissions. The modifying Key Vault configurations policy detects when an Azure Compute workload attempts to alter the configuration of a key vault. The Azure Key Vault is a cloud service for securely storing and accessing secrets, like encryption keys and passwords.

### Azure Compute Workload Deleting Network Security Groups

This detection alerts you to an Azure Compute workload that's deleting network security groups. Azure network security groups contain security rules to filter network traffic between Azure resources in an Azure virtual network. Attackers routinely attempt to delete these groups to allow traffic to flow through.

### Azure Compute Workload Disabling Azure Alerts

This policy detects an Azure Compute workload by deleting Azure Monitor alert rules. An Azure monitor alert rule monitors your telemetry and captures a signal that indicates that something is happening on the specified resource. Adversaries may attempt to delete these rules to avoid getting detected.

### Azure Compute Workload Creating or Modifying Route Tables

This policy detects an Azure Compute workload creating or modifying Azure routing tables. Azure routing tables are used to route traffic between Azure subnets and virtual networks. Adversaries attempt to compromise these routing tables to divert traffic to their desired destinations.

### Azure Compute Workload Disabling Antimalware Extensions

This policy detects an Azure Compute workload disabling antimalware extensions. Antimalware for Azure is a protection capability that helps identify and remove viruses, spyware, and other malicious software. Attackers often attempt to disable these extensions in order to deploy malware.

### Azure User Reading Database Master Keys

This policy detects an Azure user reading master keys from Cosmos DB. The Azure master database key is a symmetric key used to protect the private keys of certificates and asymmetric keys present in the database.

### Azure User Executing Remote Commands on Virtual Machines

This policy detects Azure users executing commands remotely on a virtual machine.

The above eight policies provide valuable additional context in the alerts, such as the number of failed and successful attempts, source IP addresses, and sample event IDs to help with the investigation and alert handling.

### Policy Dashboard

To view or enable the anomaly detection policies, please navigate to Policies, select Overview, and then filter specifically for Policy Type = 'Anomaly', Policy Subtype = 'UEBA', and Cloud = 'Azure'.
![Figure 1: List of Azure-specific policies](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/04/word-image-182575-1.png)
Figure 1: List of Azure-specific policies

When audit logs from Azure cloud accounts are ingested, and the eight anomaly policies are enabled, alerts for these policies will trigger when a suspicious operation is performed --- specifically when:

1. An Azure compute workload employing potential privilege escalation or defense evasion tactics is detected
2. An Azure user is suspected of using credential access or lateral movement tactics

## Trusted List Support:

* \*\*Role-Based Trusted List:\*\*With the addition of these policies, you also have the ability to specify a role in a trusted anomaly list to suppress alerts. For the matching role names added to this trusted list, the specified anomaly policies will not generate alerts.
* \*\*Subject-Based Trusted List:\*\*The alert can also be suppressed by adding subjects to a trusted list and selecting applicable policies from the list.

## Learn More About Anomaly Detection

Discover how to protect Microsoft Azure environments with comprehensive [cloud security posture management (CSPM)](https://www.paloaltonetworks.com/resources/ebooks/guide-to-cloud-security-posture) --- including support for the CIS Microsoft Azure Foundations Benchmark --- and cloud workload protection (CWP) for hosts, containers, and serverless deployments. [Prisma Cloud for Microsoft Azure](https://www.paloaltonetworks.com/prisma/environments/azure) offers cloud-native security and compliance throughout the development lifecycle.

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### SIEM Replacement Made Easy (Yes, Really!)](https://www2.paloaltonetworks.com/blog/security-operations/siem-replacement-made-easy-yes-really/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Demystifying Impossible Traveler Detection](https://www2.paloaltonetworks.com/blog/security-operations/demystifying-impossible-traveler-detection/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Prisma Cloud Provides New Extensive Use Cases for Azure Customers](https://www2.paloaltonetworks.com/blog/cloud-security/prisma-cloud-provides-new-extensive-use-cases-for-azure-customers/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Palo Alto Networks Shifts Left with Prisma Cloud 3.0](https://www2.paloaltonetworks.com/blog/2021/11/shift-left-with-prisma-cloud-3-0/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)

[#### Enhancing UEBA with Compute Provisioning Anomaly Detection](https://www2.paloaltonetworks.com/blog/cloud-security/compute-provisioning-anomaly-detection/)

### [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)

[#### Network-Based Data Exfiltration Detection Extends Visibility of Threats](https://www2.paloaltonetworks.com/blog/cloud-security/network-based-data-exfiltration-detection/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language