Azure Event Hub Deletion

 1[metadata]
 2creation_date = "2020/08/18"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large
11volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.
12"""
13false_positives = [
14    """
15    Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or
16    resource name should be making changes in your environment. Event Hub deletions by unfamiliar users or hosts should
17    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
18    """,
19]
20from = "now-25m"
21index = ["filebeat-*", "logs-azure*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Azure Event Hub Deletion"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating Azure Event Hub Deletion
31
32Azure Event Hub is a scalable data streaming platform and event ingestion service, crucial for processing large volumes of data in real-time. Adversaries may target Event Hubs to delete them, aiming to disrupt data flow and evade detection by erasing evidence of their activities. The detection rule monitors Azure activity logs for successful deletion operations, flagging potential defense evasion attempts by identifying unauthorized or suspicious deletions.
33
34### Possible investigation steps
35
36- Review the Azure activity logs to confirm the deletion event by checking the operation name "MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and ensure the event outcome is marked as Success.
37- Identify the user or service principal responsible for the deletion by examining the associated user identity or service principal ID in the activity logs.
38- Investigate the context of the deletion by reviewing recent activities performed by the identified user or service principal to determine if there are any other suspicious actions.
39- Check for any recent changes in permissions or roles assigned to the user or service principal to assess if the deletion was authorized or if there was a potential privilege escalation.
40- Correlate the deletion event with other security alerts or incidents in the environment to identify if this action is part of a larger attack pattern or campaign.
41- Communicate with relevant stakeholders or teams to verify if the deletion was part of a planned operation or maintenance activity.
42
43### False positive analysis
44
45- Routine maintenance or updates by authorized personnel can trigger deletion logs. Verify if the deletion aligns with scheduled maintenance activities and exclude these operations from alerts.
46- Automated scripts or tools used for managing Azure resources might delete Event Hubs as part of their normal operation. Identify these scripts and whitelist their activity to prevent false positives.
47- Test environments often involve frequent creation and deletion of resources, including Event Hubs. Exclude known test environments from monitoring to reduce noise.
48- Changes in organizational policies or restructuring might lead to legitimate deletions. Ensure that such policy-driven deletions are documented and excluded from alerts.
49- Misconfigured automation or deployment processes can inadvertently delete Event Hubs. Regularly review and update configurations to ensure they align with intended operations and exclude these from alerts if verified as non-threatening.
50
51### Response and remediation
52
53- Immediately isolate the affected Azure Event Hub namespace to prevent further unauthorized deletions or modifications. This can be done by restricting access through Azure Role-Based Access Control (RBAC) and network security groups.
54- Review and revoke any suspicious or unauthorized access permissions associated with the deleted Event Hub. Ensure that only authorized personnel have the necessary permissions to manage Event Hubs.
55- Restore the deleted Event Hub from backups if available, or reconfigure it to resume normal operations. Verify the integrity and completeness of the restored data.
56- Conduct a thorough audit of recent Azure activity logs to identify any other unauthorized actions or anomalies that may indicate further compromise.
57- Escalate the incident to the security operations team for a detailed investigation into the root cause and to assess the potential impact on other Azure resources.
58- Implement additional monitoring and alerting for Azure Event Hub operations to detect and respond to similar unauthorized activities promptly.
59- Review and update security policies and access controls for Azure resources to prevent recurrence, ensuring adherence to the principle of least privilege.
60
61## Setup
62
63The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = [
65    "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about",
66    "https://azure.microsoft.com/en-in/services/event-hubs/",
67    "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features",
68]
69risk_score = 47
70rule_id = "e0f36de1-0342-453d-95a9-a068b257b053"
71severity = "medium"
72tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
73timestamp_override = "event.ingested"
74type = "query"
75
76query = '''
77event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success)
78'''
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1562"
85name = "Impair Defenses"
86reference = "https://attack.mitre.org/techniques/T1562/"
87[[rule.threat.technique.subtechnique]]
88id = "T1562.001"
89name = "Disable or Modify Tools"
90reference = "https://attack.mitre.org/techniques/T1562/001/"
91
92
93
94[rule.threat.tactic]
95id = "TA0005"
96name = "Defense Evasion"
97reference = "https://attack.mitre.org/tactics/TA0005/"