Azure Storage Account Deletion by Unusual User

  1[metadata]
  2creation_date = "2025/10/08"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/10/08"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when an Azure Storage Account is deleted. Adversaries may delete storage accounts to disrupt operations,
 11destroy evidence, or cause denial of service. This activity could indicate an attacker attempting to cover their tracks
 12after data exfiltration or as part of a destructive attack. Monitoring storage account deletions is critical for
 13detecting potential impact on business operations and data availability.
 14"""
 15false_positives = [
 16    """
 17    Storage administrators may legitimately delete storage accounts during decommissioning, resource cleanup, or
 18    infrastructure optimization. Verify that the deletion was expected and follows organizational change management
 19    processes. Consider exceptions for approved maintenance windows.
 20    """,
 21]
 22from = "now-9m"
 23index = ["logs-azure.activitylogs-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "Azure Storage Account Deletion by Unusual User"
 27note = """## Triage and analysis
 28
 29### Investigating Azure Storage Account Deletion by Unusual User
 30
 31Azure Storage Accounts provide scalable cloud storage for applications and services. Deletion of storage accounts is a high-impact operation that permanently removes all contained data including blobs, files, queues, and tables. Adversaries may delete storage accounts to destroy evidence of their activities, disrupt business operations, or cause denial of service as part of ransomware or destructive attacks. This detection monitors for successful storage account deletion operations to identify potential malicious activity.
 32
 33### Possible investigation steps
 34
 35- Review the Azure activity logs to identify the user or service principal that initiated the storage account deletion by examining the principal ID, UPN and user agent fields.
 36- Check the specific storage account name in `azure.resource.name` to understand which storage resources were deleted and assess the business impact.
 37- Investigate the timing of the event to correlate with any other suspicious activities, such as unusual login patterns, privilege escalation attempts, or other resource deletions.
 38- Examine the user's recent activity history to identify any other storage accounts or Azure resources that were deleted or modified by the same principal.
 39- Verify if the storage account deletion aligns with approved change requests or maintenance windows in your organization.
 40- Check if the deleted storage account contained critical data and whether backups are available for recovery.
 41- Review any related alerts or activities such as data exfiltration, configuration changes, or access policy modifications that occurred before the deletion.
 42- Investigate if the account was recently compromised by checking for suspicious authentication events or privilege escalations.
 43
 44### False positive analysis
 45
 46- Legitimate decommissioning of unused storage accounts may trigger this alert. Document approved storage account cleanup activities and coordinate with infrastructure teams to understand planned deletions.
 47- DevOps automation tools might delete temporary storage accounts as part of infrastructure lifecycle management. Identify service principals used by CI/CD pipelines and consider creating exceptions for these automated processes.
 48- Testing and development environments may have frequent storage account creation and deletion cycles. Consider filtering out non-production storage accounts if appropriate for your environment.
 49- Cost optimization initiatives may involve deleting unused or redundant storage accounts. Coordinate with finance and infrastructure teams to understand planned resource optimization activities.
 50
 51### Response and remediation
 52
 53- Immediately investigate whether the deletion was authorized by verifying with the account owner or relevant stakeholders.
 54- If the deletion was unauthorized, attempt to recover the storage account if soft-delete is enabled, or restore data from backups.
 55- Disable the compromised user account or service principal if unauthorized activity is confirmed and investigate how the credentials were obtained.
 56- Review and restrict Azure RBAC permissions to ensure only authorized users have storage account deletion capabilities (requires Contributor or Owner role).
 57- Implement Azure Resource Locks to prevent accidental or malicious deletion of critical storage accounts.
 58- Configure Azure Activity Log alerts to notify security teams immediately when storage accounts are deleted.
 59- Conduct a full security assessment to identify any other compromised resources or accounts and look for indicators of broader compromise.
 60- Document the incident and update security policies and procedures to prevent similar incidents in the future.
 61"""
 62references = [
 63    "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/"
 64]
 65risk_score = 47
 66rule_id = "a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
 67severity = "medium"
 68tags = [
 69    "Domain: Cloud",
 70    "Domain: Storage",
 71    "Data Source: Azure",
 72    "Data Source: Azure Activity Logs",
 73    "Use Case: Threat Detection",
 74    "Tactic: Impact",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "new_terms"
 79
 80query = '''
 81event.dataset: azure.activitylogs and
 82    azure.activitylogs.operation_name: "MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE" and
 83    azure.activitylogs.identity.claims_initiated_by_user.name: *
 84'''
 85
 86
 87[[rule.threat]]
 88framework = "MITRE ATT&CK"
 89[[rule.threat.technique]]
 90id = "T1485"
 91name = "Data Destruction"
 92reference = "https://attack.mitre.org/techniques/T1485/"
 93
 94[[rule.threat.technique]]
 95id = "T1489"
 96name = "Service Stop"
 97reference = "https://attack.mitre.org/techniques/T1489/"
 98
 99
100[rule.threat.tactic]
101id = "TA0040"
102name = "Impact"
103reference = "https://attack.mitre.org/tactics/TA0040/"
104
105[rule.new_terms]
106field = "new_terms_fields"
107value = ["azure.activitylogs.identity.claims_initiated_by_user.name"]
108[[rule.new_terms.history_window_start]]
109field = "history_window_start"
110value = "now-7d"