Azure Event Hub Deletion
Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large
11volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.
12"""
13false_positives = [
14 """
15 Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or
16 resource name should be making changes in your environment. Event Hub deletions by unfamiliar users or hosts should
17 be investigated. If known behavior is causing false positives, it can be exempted from the rule.
18 """,
19]
20from = "now-25m"
21index = ["filebeat-*", "logs-azure*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Azure Event Hub Deletion"
25note = """## Setup
26
27The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = [
29 "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about",
30 "https://azure.microsoft.com/en-in/services/event-hubs/",
31 "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features",
32]
33risk_score = 47
34rule_id = "e0f36de1-0342-453d-95a9-a068b257b053"
35severity = "medium"
36tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Defense Evasion"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success)
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1562"
49name = "Impair Defenses"
50reference = "https://attack.mitre.org/techniques/T1562/"
51[[rule.threat.technique.subtechnique]]
52id = "T1562.001"
53name = "Disable or Modify Tools"
54reference = "https://attack.mitre.org/techniques/T1562/001/"
55
56
57
58[rule.threat.tactic]
59id = "TA0005"
60name = "Defense Evasion"
61reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Kubernetes Events Deleted
- AWS CloudTrail Log Suspended
- AWS VPC Flow Logs Deletion
- Azure Alert Suppression Rule Created or Modified
- Azure Application Credential Modification