Azure Resource Group Deletion
Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/17"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is
11permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally
12destroy data.
13"""
14false_positives = [
15 """
16 Deletion of a resource group may be done by a system or network administrator. Verify whether the username,
17 hostname, and/or resource name should be making changes in your environment. Resource group deletions from
18 unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
19 from the rule.
20 """,
21]
22from = "now-25m"
23index = ["filebeat-*", "logs-azure*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Azure Resource Group Deletion"
27note = """## Setup
28
29The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = [
31 "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal",
32]
33risk_score = 47
34rule_id = "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f"
35severity = "medium"
36tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Impact"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success)
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1485"
49name = "Data Destruction"
50reference = "https://attack.mitre.org/techniques/T1485/"
51
52
53[rule.threat.tactic]
54id = "TA0040"
55name = "Impact"
56reference = "https://attack.mitre.org/tactics/TA0040/"
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1562"
61name = "Impair Defenses"
62reference = "https://attack.mitre.org/techniques/T1562/"
63[[rule.threat.technique.subtechnique]]
64id = "T1562.001"
65name = "Disable or Modify Tools"
66reference = "https://attack.mitre.org/techniques/T1562/001/"
67
68
69
70[rule.threat.tactic]
71id = "TA0005"
72name = "Defense Evasion"
73reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS CloudTrail Log Updated
- AWS CloudWatch Log Group Deletion
- AWS CloudWatch Log Stream Deletion
- AWS KMS Customer Managed Key Disabled or Scheduled for Deletion
- Azure Command Execution on Virtual Machine