Azure Compute Restore Point Collection Deleted by Unusual User

  1[metadata]
  2creation_date = "2025/10/13"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/10/13"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the deletion of Azure Restore Point Collections by a user who has not previously performed this activity.
 11Restore Point Collections contain recovery points for virtual machines, enabling point-in-time recovery capabilities.
 12Adversaries may delete these collections to prevent recovery during ransomware attacks or to cover their tracks during
 13malicious operations.
 14"""
 15false_positives = [
 16    """
 17    Restore Point Collection deletions may be performed by system administrators during routine cleanup or
 18    decommissioning activities. Verify whether the user and resource should be performing these operations. Deletions
 19    from unfamiliar users or targeting critical resources should be investigated. If known behavior is causing false
 20    positives, it can be exempted from the rule.
 21    """,
 22]
 23from = "now-9m"
 24index = ["logs-azure.activitylogs-*", "filebeat-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "Azure Compute Restore Point Collection Deleted by Unusual User"
 28note = """## Triage and analysis
 29
 30### Investigating Azure Compute Restore Point Collection Deleted by Unusual User
 31
 32Azure Compute Restore Point Collections are critical components for disaster recovery, containing snapshots that enable point-in-time
 33recovery of virtual machines. Deletion of these collections can severely impact an organization's ability to recover from
 34incidents, making them attractive targets for adversaries conducting ransomware attacks or attempting to cover their tracks.
 35
 36This rule detects when a user who has not previously deleted Restore Point Collections performs this operation, which may
 37indicate unauthorized activity or a compromised account.
 38
 39### Possible investigation steps
 40
 41- Review the `azure.activitylogs.identity.claims_initiated_by_user.name` field to identify the specific user who performed the deletion operation.
 42- Investigate the `azure.resource.id` or `azure.resource.name` fields to identify which Restore Point Collection was deleted and assess its criticality to business operations.
 43- Review the timeline of the deletion event and correlate it with other security events or user activities to identify any suspicious patterns or related activities.
 44- Verify whether the user account has legitimate access to perform this operation and whether this deletion was authorized through change management processes.
 45- Check for any other unusual activities by the same user account around the time of the deletion, such as privilege escalation attempts or access to other sensitive resources.
 46- Investigate whether there are any active alerts or indicators of compromise related to ransomware activity in the environment.
 47
 48### False positive analysis
 49
 50- Routine administrative activities by infrastructure teams may trigger this alert when team members rotate or new administrators are onboarded. Create exceptions for known administrative accounts after verification.
 51- Automated cleanup scripts or Azure policies that periodically remove old restore points may cause alerts. Identify and exclude service accounts used for these automated operations.
 52- Planned decommissioning activities or migration projects may involve legitimate deletion of restore point collections. Document these activities and create temporary exceptions during known maintenance windows.
 53- Testing and development environments may see frequent creation and deletion of resources. Consider excluding these environments from monitoring or adjusting the rule to focus on production resources only.
 54
 55### Response and remediation
 56
 57- Immediately verify the legitimacy of the deletion operation with the user or their manager. If the activity is unauthorized, proceed with incident response procedures.
 58- If unauthorized deletion is confirmed, immediately isolate the affected user account to prevent further malicious activity. Reset credentials and review account permissions.
 59- Check if the deleted Restore Point Collection can be recovered through Azure backup services or other recovery mechanisms.
 60- Review and audit all recent activities performed by the affected user account to identify other potentially malicious actions.
 61- Assess the impact on disaster recovery capabilities and inform relevant stakeholders about potential recovery limitations.
 62- Review access controls and permissions for Restore Point Collection management, implementing principle of least privilege where necessary.
 63- If ransomware activity is suspected, escalate to the security incident response team and implement broader containment measures, including checking for other indicators of ransomware such as deletion of Recovery Services vaults or backup fabric containers.
 64- Document the incident and update detection rules or procedures based on lessons learned.
 65"""
 66references = [
 67    "https://www.microsoft.com/en-us/security/blog/2023/07/25/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/",
 68]
 69risk_score = 47
 70rule_id = "c1a3e2f0-8a1b-11ef-9b4a-f661ea17fbce"
 71severity = "medium"
 72tags = [
 73    "Domain: Cloud",
 74    "Domain: Storage",
 75    "Data Source: Azure",
 76    "Data Source: Azure Activity Logs",
 77    "Use Case: Threat Detection",
 78    "Tactic: Impact",
 79    "Resources: Investigation Guide",
 80]
 81timestamp_override = "event.ingested"
 82type = "new_terms"
 83
 84query = '''
 85event.dataset: azure.activitylogs and
 86    event.action: "MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE" and
 87    event.outcome: (Success or success)
 88'''
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1490"
 95name = "Inhibit System Recovery"
 96reference = "https://attack.mitre.org/techniques/T1490/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0040"
101name = "Impact"
102reference = "https://attack.mitre.org/tactics/TA0040/"
103
104[rule.new_terms]
105field = "new_terms_fields"
106value = ["azure.activitylogs.identity.claims_initiated_by_user.name", "azure.resource.group"]
107[[rule.new_terms.history_window_start]]
108field = "history_window_start"
109value = "now-7d"