Review & Remediate Resource Manager Recommendations
Implementation Effort: Medium — Reviewing and remediating alerts requires coordination between security, platform, and subscription owners, and may involve changes to access controls, automation accounts, and virtual machines.
User Impact: Low — These remediations are performed by administrators and do not require end-user involvement.
Overview
Microsoft Defender for Resource Manager monitors Azure control plane operations and generates alerts for suspicious or unauthorized activities. These alerts help detect threats such as privilege escalation, unauthorized deployments, and lateral movement attempts using tools like PowerZure or Microburst 1.
To review and remediate recommendations:
- Go to Microsoft Defender for Cloud in the Azure portal.
- Navigate to Security alerts and filter by Resource Manager.
- Investigate each alert using the Azure Activity Log:
- Filter by subscription, time frame, and user account.
- Look for suspicious operations or delegated access 2.
- Take remediation actions:
- User accounts: Reset credentials or delete unfamiliar accounts.
- Subscriptions: Remove unauthorized Runbooks, review IAM roles, and delete unfamiliar resources.
- Virtual machines: Change passwords, run malware scans, or reimage if compromised 2.
These actions align with the "Assume Breach" principle of Zero Trust by treating unexpected activity as potentially malicious and responding with containment and investigation. Ignoring these alerts can allow attackers to persist in your environment and escalate privileges undetected.