Cloud computing has experienced rapid growth, which has in turn led to an increase in security threats and a growing demand for effective anomaly detection strategies. Traditional security systems often struggle to capture the complex and dynamic relationships inherent in cloud environments, limiting their ability to detect sophisticated attacks. This paper examines the application of Graph Neural Networks (GNNs) to Azure cloud security analytics, with a particular focus on detecting anomalies such as unauthorized access and privilege escalation through the analysis of Azure Activity Logs.
We propose a novel GNN-based anomaly detection framework in which activity log data is processed, transformed, and represented as a graph structure. The GNN model is trained to learn relational patterns and to classify potentially malicious activities. To support near-real-time security monitoring, the proposed solution is deployed using Azure Functions. Experimental results demonstrate that the GNN-based approach effectively identifies cloud security threats and achieves significant improvements over traditional rule-based detection methods.
Introduction
For organizations leveraging Azure cloud services, ensuring robust cloud security remains a critical challenge. The vast volume of security telemetry generated in cloud environments makes the manual detection of sophisticated and multistage malicious activities increasingly difficult. Traditional security solutions, such as rule-based or signature-based intrusion detection systems, often struggle to adapt to novel and previously unseen attack techniques. As threats continue to evolve, these conventional approaches may lose effectiveness, leaving organizations exposed to emerging security risks.
This research investigates the application of Graph Neural Networks (GNNs) for cloud security analytics, with a particular focus on Azure Activity Logs. By leveraging the rich relational structure inherent in these logs, GNNs enable the modeling of complex interactions between identities, resources, and operations. This approach aims to develop a more adaptive and expressive anomaly detection framework, capable of identifying subtle and coordinated malicious behaviors that may evade traditional security mechanisms. Ultimately, the proposed solution seeks to enhance the protection of cloud resources by providing a scalable and effective security analytics capability for Azure environments.
Background and related work
The increase in cyberattacks has made cloud security a major concern. This section reviews relevant literature for the proposed framework, focusing on risks like unauthorized access, privilege escalation, data leakage, DDoS attacks, and insider threats. As cloud environments become more complex, static or signature-based security measures struggle against sophisticated attacks.
Azure Activity Logs provide essential telemetry, recording control plane operations and capturing events such as authentication, resource modifications, role changes, and policy updates. Analyzing these logs is vital for detecting suspicious behaviors like unusual access attempts or privilege changes.
Graph Neural Networks (GNNs), designed for graph-structured data, excel at modeling relationships between users, resources, and services making, making them effective for threat detection in security analytics. Traditional anomaly detection methods, including signature-based, rule barule-basedupervised machine learning, often fail to identify novel or multistage attacks, whereas graph-based models offer better generalization by representing relational structures.
Recent GNN applications have proven useful in network intrusion, fraud detection, and malicious behavior analysis. Building on these advances, this study aims to use GNNs for adaptive, scalable cloud security analytics to detect real-time threats in Azure environments.
Methodology
Azure Activity Logs and related security telemetry are ingested using Azure native services and SDKs such as Azure Monitor, Azure Event Hubs, and Azure SDKs, rather than AWS-specific tooling. These logs capture critical control plane and operational events with metadata including caller identity, resource provider, operation name, source IP address, and timestamps. The collected raw log data is centralized in a log analytics or data lake environment for further processing.
During preprocessing, the raw telemetry undergoes structured filtering and normalization workflows. Irrelevant or noisy events are removed, while security-relevant signals are retained to improve the effectiveness of automated threat detection and analytics pipelines. This step ensures consistent schemas, enriched context (such as identity and resource relationships), and reduced data volume without losing investigative value.
The retained events are modeled as a graph-based representation, where identities (users or service principals), Azure resources, and IP addresses form nodes. Interactions—such as management operations, API calls, privilege changes, or access attempts—are represented as edges. This graph structure enables advanced detection of suspicious behaviors, including privilege escalation, lateral movement, and unauthorized access patterns across the Azure environment.
Graph Construction and Representation
The preprocessed security telemetry is transformed into a heterogeneous graph structure, where nodes represent different entity types, including users, Azure services, and IP addresses. Edges in the graph capture various forms of interactions between these entities, such as API invocations, privilege escalation events, and unauthorized access attempts.
Graph construction follows a systematic process in which each security-relevant event is mapped into the graph based on the relationships it establishes among entities. This approach ensures that both direct and indirect interactions are preserved within the graph topology, enabling comprehensive relational modeling of cloud activity.
Let 𝐺=(𝑉,𝐸)denote the security graph, where 𝑉represents the set of nodes and 𝐸represents the set of edges. Each node 𝑣∈𝑉is associated with a feature vector 𝐱𝑣∈ℝ𝑑, where 𝑑denotes the dimensionality of the node feature space. The adjacency matrix 𝐴∈ℝ∣𝑉∣×∣𝑉∣encodes the structural relationships within the graph, such that 𝐴𝑖𝑗=1indicates the presence of an edge between nodes 𝑖and 𝑗, and 𝐴𝑖𝑗=0otherwise.
Graph Neural Network Architecture
The proposed framework employs a Graph Neural Network (GNN) based on Graph Convolutional Networks (GCNs) to learn expressive node representations that capture both local neighborhood information and global graph structure. The GCN model operates using an iterative message passing mechanism, where node representations are updated by aggregating and transforming information from their neighboring nodes.
The mathematical formulation for the GCN layer is expressed as:
H^{(l+1)} = σ(D^{-1/2}ÃD^{-1/2}H^{(l)}W^{(l)})
Where:
- H^{(l)} represents the node features at layer l,
- Ã denotes the adjacency matrix with added self-connections,
- D represents the diagonal degree matrix,
- W^{(l)} is the learnable weight matrix for layer l,
- σ represents the activation function.
Node Feature Engineering
Node features are designed to reflect security-relevant behaviors unique to each entity type.
- User nodes capture historical access habits, privilege levels, activity timing, service diversity, and past anomalies.
- Service nodes focus on resource importance, request volume, variety of users, usage trends, and related security incidents.
- IP address nodes include location, reputation, typical access patterns, and request frequency.
Feature embeddings combine statistical data with domain-specific security metrics. Sample vectors might include measures like access frequency, privilege scores, usage distributions, criticality level, and anomaly history.
Anomaly Detection Framework
Training Methodology
The anomaly detection model follows a supervised learning paradigm, trained on a curated dataset containing labeled instances of benign and malicious activities. The training objective combines a classification loss with a graph regularization term to enforce consistency across structurally related nodes.
The loss function is formulated as:
L = L_classification + λL_regularization
Where:
- L_classification represents the cross-entropy loss for anomaly classification
- L_regularization ensures smooth predictions across connected nodes,
- λ controls the regularization strength.
Performance Metrics and Evaluation
The performance of the proposed GNN-based anomaly detection framework is evaluated against existing security detection approaches to assess its effectiveness in identifying malicious activities in Azure cloud environments. Standard classification metrics of accuracy, precision, recall, and F1 score are used to provide a comprehensive evaluation across multiple threat scenarios, including unauthorized access and privilege escalation patterns.
Experimental results demonstrate that the proposed GNN-based approach significantly outperforms traditional security detection techniques. As shown in Figure 1, the GNN model achieves an overall accuracy of 94.2% in detecting anomalous activities from Azure Activity Logs. This represents a substantial improvement over rule-based detection systems, which achieve accuracy in the range of 78–82%, and over traditional machine learning approaches that rely on tabular feature representations.
In addition to accuracy, the proposed model exhibits strong performance in precision and recall. The precision of 91.8% indicates that most events flagged as anomalous correspond to genuine security threats, thereby reducing false positives. The recall of 92.6% demonstrates the model’s effectiveness in capturing a high proportion of true malicious activities, minimizing missed detections. The resulting F1 score further confirms the balanced performance of the GNN-based approach compared to baseline methods.
Overall, these results highlight the advantage of leveraging graph-based learning to model complex relationships between users, services, and network entities, enabling more accurate and robust cloud security analytics than conventional rule barule-basedaditional machine learning techniques.
Figure 1:Performance Comparison Across Different Methods Compar.e accuracy, precision, recall, and F1 score between rule-based systems, traditional ML, and your GNN approach. Shows your GNN method achieving 94.2% accuracy vs 78% for rule-based systemsComparative
Comparative Analysis Results
The advantages of the proposed graph-based anomaly detection methodology are demonstrated through a comparative performance analysis against conventional security detection approaches. Rule-based systems exhibit limited adaptability to evolving and previously unseen attack patterns, achieving F1 scores in the range of 0.75–0.80. Traditional machine learning methods that rely on tabular feature representations show improved performance, with F1 scores of approximately 0.85. In contrast, the proposed GNN-based approach consistently achieves F1 scores exceeding 0.92 across all evaluated test conditions, highlighting its superior detection capability.
A temporal analysis of detection performance further illustrates the robustness of the GNN model. Despite variations in attack patterns and workload dynamics over time, the proposed model maintains stable and consistent performance. This behavior reflects the model’s strong generalization ability, which is significantly better than that of fixed rule-based systems that rely on static detection logic.
The effectiveness of the learned representations is further validated through cross-validation experiments conducted across different cloud environments and account configurations. The GNN model demonstrates consistent performance across these settings, indicating its ability to generalize beyond a single deployment context. Furthermore, when classification errors occur, they tend to remain isolated rather than propagating across environments, suggesting that the model does not overfit specific account configurations or usage patterns.
Figure 2:Model Training Progress and Convergence Displays training/validation loss curves and accuracy improvement over epochs. Demonstrates model convergence and lack of overfitting
Threat Detection Capabilities
Graph-based models are particularly well suwell-suitedtecting complex and multistage attack patterns that involve sequences of interrelated actions across multiple services and extended time frames. Such distributed attacks are difficult to detect using traditional security systems, which typically analyze events in isolation and cannot model relationships between seemingly unrelated activities. In contrast, the proposed GNN-based framework captures these relationships explicitly, enabling the identification of complete attack chains, including initial reconnaissance, privilege escalation, lateral movement, and data exfiltration.
Case study–based analysis further demonstrates the effectiveness of the proposed model in identifying advanced persistent threats (APTs), which often unfold gradually over long periods and are characterized by subtle deviations from normal behavior. By leveraging a graph-based representation of cloud activity, the model can uncover anomalous relational patterns that are difficult to detect using traditional feature-based methods. This relational perspective enables more accurate detection of stealthy and coordinated attacks that would otherwise remain hidden within large volumes of benign cloud activity.
Figure 3: Feature Importance in Anomaly Detection. A pie chart showing the relative importance of different features (user behavior, network patterns, etc.) Helps explain what the model focuses on for detection
Scalability and Performance Analysis
An evaluation of runtime performance demonstrates that the proposed GNN-based security analytics framework scales effectively to large graph structures and can process near-real-time events with low latency. Experimental results indicate that, for data volumes comparable to typical enterprise-scale deployments, the system processes incoming telemetry within time bounds suitable for continuous security monitoring.
Resource utilization analysis further shows that the model maintains efficient memory and compute usage, even when operating on large-scale security graphs consisting of thousands of nodes and millions of edges. This efficiency is achieved by leveraging localized message passing and sparse graph operations, which reduce unnecessary computational overhead.
Scalability analysis reveals that the model exhibits approximately linear growth in execution time with respect to both the number of nodes and the number of edges in the security graph. As a result, the proposed framework can be deployed in large enterprise cloud environments without significant degradation in performance, making it suitable for productproduction-levelsecurity analytics.
Figure 4:Temporal Distribution of Normal vs Anomalous Activities Area c.hart showing how normal and anomalous activities vary throughout the day. Useful for understanding attack timing patterns
Azure Functions Implementation
The trained GNN-based anomaly detection model is deployed using Azure Functions, enabling real-time processing of Azure Activity Logs within a serverless execution environment. This deployment model provides high availability, automatic scaling, and cost-efficient operation, allowing the system to adapt dynamically to varying event workloads without requiring dedicated infrastructure management.
The Azure Function is designed to ingest incoming activity events, perform incremental graph updates, and generate anomaly predictions with low end to end latency. By maintaining an up-to-date representation of the security graph, the system ensures timely detection of suspicious behaviors as new events arrive.
To support continuous monitoring and alerting, the solution is integrated with Azure Timer triggers and event-based scheduling mechanisms, enabling periodic evaluation and automated alert generation. When anomalous activity is detected, alerts are forwarded to monitoring and notification services, allowing security teams to define custom thresholds, metrics, and alerting rules. This facilitates rapid triage and supports an efficient incident response workflow, enabling timely investigation and mitigation of potential security threats.
Figure 5: Explaining the architecture flow; showing how the activity logs are routed to various azure fAzureons and an anomaly is detected and notified.
Integration with Azure Security Services
The proposed GNN-based threat detection system is designed to integrate seamlessly with Azure native security services, enabling unified visibility and coordinated threat response across the Azure environment. Specifically, the framework integrates with Microsoft Defender for Cloud, Azure Firewall, and Azure Policy, allowing security insights generated by the model to be correlated with existing preventive, detective, and governance controls.
Detected security events and anomalies are converted into standardized Azure security alerts and can be surfaced through Microsoft Defender for Cloud and Microsoft Sentinel for centralized monitoring and investigation. This integration enables security teams to combine graph-based anomaly detection with signature-based detections, behavioral analytics, and policy compliance signals, providing a holistic view of security posture and threats across subscriptions and resources.
To support interoperability with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms, the generated findings follow Microsoft security alert schemas and are exported using supported ingestion mechanisms such as Azure Monitor, Log Analytics, and Microsoft Sentinel connectors. This allows automated incident enrichment, alert correlation, and response playbooks to be triggered, facilitating rapid and coordinated incident response across the Azure security ecosystem.
Future Enhancements and Research Directions
Federated Learning Implementation
One promising research direction involves the integration of federated learning to enable multi-account and cross-tenant security monitoring within Azure environments. Federated learning allows models to be trained collaboratively across multiple organizations or subscriptions without requiring the sharing of raw security data, thereby preserving data privacy and confidentiality.
By aggregating learned model updates rather than sensitive telemetry, this approach can enhance detection capabilities for distributed and coordinated attacks that span multiple Azure accounts or organizations. Such collaboration has the potential to significantly improve model robustness and detection accuracy against large slarge-scaleoss ocross-organizational campaigns.
Automated Remediation Integration
Another important enhancement involves integrating automated remediation workflows using Azure native orchestration services such as Azure Logic Apps or Azure Functions–based workflows. By coupling anomaly detection with automated response actions such as access revocation, policy enforcement, or network isolation, the system can proactively mitigate detected threats. This automation can significantly reduce response time and limit the potential impact of security incidents by containing threats at an early stage.
Advanced Analytics and Threat Intelligence
Further research can focus on incorporating advanced analytics capabilities, including predictive threat modeling and behavioral baseline establishment. By learning normal patterns of user and service behavior over time, the system can anticipate potential threats and detect deviations before an attack fully materializes. Such predictive and behavior-driven analytics would enable a shift from reactive security monitoring toward a more proactive and preventative security posture in cloud environments.
Conclusion
Graph Neural Networks (GNNs) offer an advanced method for cloud security analytics by utilizing the complex relationships in Azure Activity Logs. This research shows that GNN models outperform traditional detection techniques, achieving higher accuracy and adaptability to new threats, as well as near real-time monitoring with Azure Functions.
The solution integrates smoothly with native Azure security services, scales across organizations, and offers a holistic view of cloud interactions, surpassing rule-based approaches. Future enhancements like federated learning and automated workflows will further strengthen collaborative and proactive security systems. Overall, this study advances intelligent, scalable protection for modern Azure cloud environments against evolving threats.
(Photo by Growtika on Unsplash)
