Unexpected Azure API calls indicating Notebook Proxy modification
Description
AlphaSOC detected modification of an Azure Notebook Proxy via
Microsoft.Notebooks/NotebookProxies/write. Notebook proxies enable interactive
code execution within Azure Machine Learning environments, providing access to
compute resources and data.
Adversaries may modify notebook proxies to execute malicious code, establish persistence in ML infrastructure, or facilitate data exfiltration. While often triggered by Azure internal services, user-initiated modifications warrant security review.
Impact
Notebook proxy modifications can enable unauthorized code execution within ML environments. Attackers may use this access for data exfiltration, lateral movement to other Azure resources, or establishing persistent access to compute infrastructure. Compromised notebook environments can affect ML pipelines and downstream applications.
Severity
| Severity | Condition |
|---|---|
Low | Notebook Proxy modification detected |
Medium | Anomalous Notebook Proxy modification |
Investigation and Remediation
Review Azure Activity logs for Microsoft.Notebooks/NotebookProxies/write
events. Identify the principal that performed the modification and verify if it
was a legitimate data science workflow or Azure internal service operation.
Examine what configuration changes were made.
If unauthorized, investigate the compromised identity and review notebook execution history for signs of malicious code. Check for data access patterns indicating exfiltration. Rotate credentials and implement RBAC to restrict notebook proxy modifications.
Known False Positives
- Azure internal services performing automated actions