Azure Recovery Services Resource Deleted

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Azure Recovery Services Resource Deleted

Identifies the deletion of Azure Recovery Services resources. Azure Recovery Services vaults contain data for copies of VMs, workloads, servers, and other resources regarding Infrastructure as a Service (IaaS). Adversaries may delete these recovery services to impact backup capabilities during stable operations or to inhibit disaster recovery services during ransom-based attacks or operational disruptions.

Rule type: query

Rule indices:

logs-azure.activitylogs-*
filebeat-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.microsoft.com/en-us/security/blog/2023/07/25/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/

Tags:

Domain: Cloud
Domain: Storage
Data Source: Azure
Data Source: Azure Activity Logs
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Rule Type: BBR

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

event.dataset:azure.activitylogs and
    azure.activitylogs.operation_name:MICROSOFT.RECOVERYSERVICES/*/DELETE and
    event.outcome:(Success or success)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
Technique:
- Name: Inhibit System Recovery
- ID: T1490
- Reference URL: https://attack.mitre.org/techniques/T1490/

« Azure RBAC Built-In Administrator Roles Assigned Azure Resource Group Deletion »