Unexpected Azure API calls indicating Machine Learning workspace modification
Description
AlphaSOC detected modification of an Azure Machine Learning workspace via
Microsoft.MachineLearningServices/workspaces/write. ML workspaces provide
access to compute resources, training data, models, and experimentation
environments.
Adversaries may modify workspaces to inject malicious code into ML pipelines, access sensitive training data, or deploy cryptomining workloads on compute resources. Unexpected workspace modifications may indicate compromised credentials or insider threats.
Impact
ML workspace modifications can enable unauthorized access to compute resources and sensitive data. Attackers may use ML compute for cryptomining, exfiltrate proprietary training data or models, or inject backdoors into ML pipelines. Compromised ML environments can affect downstream applications that consume model outputs.
Severity
| Severity | Condition |
|---|---|
Low | ML workspace modification detected |
Medium | Anomalous ML workspace modification |
Investigation and Remediation
Review Azure Activity logs for
Microsoft.MachineLearningServices/workspaces/write events. Identify what
configuration changes were made and verify if they align with authorized data
science workflows. Check for modifications to compute targets, datastores, or
linked services.
If unauthorized, revert the workspace configuration and investigate the compromised identity. Review compute usage for signs of cryptomining or unauthorized workloads. Audit access to training data and models for signs of exfiltration. Implement RBAC to restrict workspace modification permissions.