Azure Compute Snapshot Deletions by User

  1[metadata]
  2creation_date = "2025/10/10"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/10/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a single user or service principal deletes multiple Azure disk snapshots within a short time period.
 11This behavior may indicate an adversary attempting to inhibit system recovery capabilities, destroy backup evidence, or
 12prepare for a ransomware attack. Mass deletion of snapshots eliminates restore points and significantly impacts disaster
 13recovery capabilities, making it a critical indicator of potentially malicious activity.
 14"""
 15false_positives = [
 16    """
 17    Infrastructure teams may legitimately delete multiple snapshots during planned maintenance, storage optimization, or
 18    cleanup of expired backup data according to retention policies. Verify that the deletion activity was expected and
 19    follows organizational change management processes. Consider exceptions for approved maintenance windows or
 20    automation service principals managing backup retention.
 21    """,
 22]
 23from = "now-9m"
 24index = ["logs-azure.activitylogs-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "Azure Compute Snapshot Deletions by User"
 28note = """## Triage and analysis
 29
 30### Investigating Azure Compute Snapshot Deletions by User
 31
 32Azure disk snapshots are critical backup and recovery resources that enable organizations to restore data and investigate security incidents. Mass deletion of snapshots is a highly suspicious activity commonly associated with ransomware preparation, evidence destruction, or sabotage operations. Adversaries frequently target snapshots to prevent victims from recovering data without paying ransom or to eliminate forensic evidence of their activities. This detection identifies when a single identity deletes multiple snapshots in a short timeframe, which is rarely performed by legitimate administrators except during controlled maintenance activities.
 33
 34### Possible investigation steps
 35
 36- Review the Azure activity logs to identify the user or service principal that initiated the multiple snapshot deletions by examining the principal ID, UPN and user agent fields in `azure.activitylogs.identity.claims_initiated_by_user.name`.
 37- Check the specific snapshot names in `azure.resource.name` to understand which backups were deleted and assess the overall impact on recovery capabilities.
 38- Investigate the timing and sequence of deletions to determine if they followed a pattern consistent with automated malicious activity or manual destruction.
 39- Examine the user's recent activity history including authentication events, privilege changes, and other Azure resource modifications to identify signs of account compromise.
 40- Verify if the snapshot deletions align with approved change requests, maintenance windows, or data retention policies in your organization.
 41- Check if other backup-related resources (backup vaults, recovery services, additional snapshots) were also accessed or modified by the same principal.
 42- Review any related alerts or activities such as VM encryption, disk modifications, or unusual data access that occurred before the deletions.
 43- Investigate if other Azure resources (VMs, disks, storage accounts) were also deleted or modified by the same principal.
 44- Check the authentication source and location to identify if the activity originated from an expected network location or potentially compromised session.
 45- Determine if any remaining snapshots or alternative backups exist for the affected resources.
 46
 47### False positive analysis
 48
 49- Legitimate bulk cleanup of expired snapshots according to data retention policies may trigger this alert. Document approved retention management processes and coordinate with infrastructure teams to create exceptions during planned maintenance windows.
 50- Infrastructure-as-Code (IaC) automation tools or backup management solutions may delete multiple expired snapshots. Identify service principals used by backup retention tools and consider creating exceptions for these identities when following documented retention schedules.
 51- Cost optimization initiatives may involve bulk deletion of old or redundant snapshots. Coordinate with finance and infrastructure teams to understand planned optimization activities and schedule them during documented maintenance windows.
 52- Disaster recovery testing or environment teardown may involve deletion of multiple test snapshots. Work with business continuity and DevOps teams to identify these patterns and create time-based exceptions during testing periods.
 53- Storage migration or consolidation projects may require deletion of old snapshots. Coordinate with infrastructure teams to understand planned migration activities and create exceptions during documented project timelines.
 54
 55### Response and remediation
 56
 57- Immediately investigate whether the deletions were authorized by verifying with backup administrators, infrastructure teams, or relevant stakeholders.
 58- If the deletions were unauthorized, disable the compromised user account or service principal immediately to prevent further damage.
 59- Check if any snapshots can be recovered through Azure backup services, soft-delete capabilities, or alternative backup mechanisms.
 60- Create new snapshots of all critical disks immediately to establish new restore points if the deleted snapshots were part of your backup strategy.
 61- Review and audit all Azure RBAC permissions to identify how the attacker gained snapshot deletion capabilities and remove excessive permissions.
 62- Conduct a full security assessment to identify the initial access vector, any other compromised accounts, and potential lateral movement.
 63- Implement Azure Resource Locks on all critical snapshots and backup resources to prevent accidental or malicious deletion.
 64- Configure Azure Policy to restrict snapshot deletion permissions to only authorized backup administrators and require approval workflows for deletion operations.
 65- Enable Azure Activity Log alerts and configure notifications to security teams immediately when snapshots are deleted.
 66- Review and enhance backup strategies to ensure redundant backup mechanisms exist beyond Azure snapshots, including geo-redundant backups and offline copies.
 67- Escalate the incident to the security operations center (SOC) or incident response team for investigation of potential ransomware preparation or broader compromise.
 68- Document the incident and update security policies, playbooks, and procedures to prevent similar incidents in the future.
 69"""
 70references = [
 71    "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/",
 72]
 73risk_score = 47
 74rule_id = "d4e5f6a7-8b9c-0d1e-2f3a-4b5c6d7e8f9a"
 75severity = "medium"
 76tags = [
 77    "Domain: Cloud",
 78    "Domain: Storage",
 79    "Data Source: Azure",
 80    "Data Source: Azure Activity Logs",
 81    "Use Case: Threat Detection",
 82    "Tactic: Impact",
 83    "Resources: Investigation Guide",
 84]
 85timestamp_override = "event.ingested"
 86type = "threshold"
 87
 88query = '''
 89event.dataset: azure.activitylogs and
 90    azure.activitylogs.operation_name: "MICROSOFT.COMPUTE/SNAPSHOTS/DELETE" and
 91    azure.activitylogs.properties.status_code: "Accepted" and
 92    azure.activitylogs.identity.claims_initiated_by_user.name: *
 93'''
 94
 95[rule.investigation_fields]
 96field_names = [
 97    "@timestamp",
 98    "azure.activitylogs.identity.claims_initiated_by_user.name",
 99    "azure.activitylogs.identity.authorization.evidence.principal_id",
100    "azure.activitylogs.identity.claims.appid",
101    "azure.activitylogs.identity.claims.sid",
102    "azure.resource.name",
103    "azure.resource.group",
104    "azure.activitylogs.operation_name",
105    "azure.subscription_id",
106    "azure.activitylogs.tenant_id",
107    "source.ip",
108]
109
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1485"
115name = "Data Destruction"
116reference = "https://attack.mitre.org/techniques/T1485/"
117
118[[rule.threat.technique]]
119id = "T1490"
120name = "Inhibit System Recovery"
121reference = "https://attack.mitre.org/techniques/T1490/"
122
123
124[rule.threat.tactic]
125id = "TA0040"
126name = "Impact"
127reference = "https://attack.mitre.org/tactics/TA0040/"
128
129[rule.threshold]
130field = ["azure.activitylogs.identity.claims_initiated_by_user.name"]
131value = 1
132[[rule.threshold.cardinality]]
133field = "azure.resource.name"
134value = 3