For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/f72-zu8-tjj.md. A documentation index is available at /llms.txt.

Azure Policy Assignment Created

azure

Classification:

compliance

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Goal

Detect when an Azure policy assignment has been created.

Strategy

Monitor Azure activity logs and detect when the @evt.name is equal to MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE and @evt.outcome is equal to Success.

Triage and response

Inspect the policy assignment and determine if an unsolicited change was made on any Azure resources.