Remote usage of an Azure Managed Identity token

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2025-04-21

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires: Azure Audit Log
Detection Modules	Cloud
Detector Tags	Cloud Serverless Function Credentials Theft Analytics
ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Steal Application Access Token (T1528) Unsecured Credentials (T1552)
Severity	Low

Description

An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment.

Attacker's Goals

Exfiltrate valid token and abuse it remotely.

Investigative actions

Verify whether the Managed Identity should be used remotely.
Check what API calls were executed by the Managed Identity.
Check if the relevant compute service is compromised.

Variations

Remote usage of an Azure Function App's Managed Identity token

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Medium

Description

An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment.

Attacker's Goals

Exfiltrate valid token and abuse it remotely.

Investigative actions

Verify whether the Managed Identity should be used remotely.
Check what API calls were executed by the Managed Identity.
Check if the relevant compute service is compromised.

Remote usage of an Azure Automation Account's Managed Identity token

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Medium

Description

An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment.

Attacker's Goals

Exfiltrate valid token and abuse it remotely.

Investigative actions

Verify whether the Managed Identity should be used remotely.
Check what API calls were executed by the Managed Identity.
Check if the relevant compute service is compromised.

Remote usage of an Azure Managed Identity token from an unusual ASN

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

High

Description

An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment.

Attacker's Goals

Exfiltrate valid token and abuse it remotely.

Investigative actions

Verify whether the Managed Identity should be used remotely.
Check what API calls were executed by the Managed Identity.
Check if the relevant compute service is compromised.

Remote usage of an Azure Managed Identity token from an unusual IP

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Medium

Description

An Azure Managed Identity token, which is attached to a compute service, was used externally of the cloud environment.

Attacker's Goals

Exfiltrate valid token and abuse it remotely.

Investigative actions

Verify whether the Managed Identity should be used remotely.
Check what API calls were executed by the Managed Identity.
Check if the relevant compute service is compromised.