Azure Resource Group Deletion

Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/17"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is
11permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally
12destroy data.
13"""
14false_positives = [
15    """
16    Deletion of a resource group may be done by a system or network administrator. Verify whether the username,
17    hostname, and/or resource name should be making changes in your environment. Resource group deletions from
18    unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
19    from the rule.
20    """,
21]
22from = "now-25m"
23index = ["filebeat-*", "logs-azure*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Azure Resource Group Deletion"
27note = """## Setup
28
29The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = [
31    "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal",
32]
33risk_score = 47
34rule_id = "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f"
35severity = "medium"
36tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Impact"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success)
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1485"
49name = "Data Destruction"
50reference = "https://attack.mitre.org/techniques/T1485/"
51
52
53[rule.threat.tactic]
54id = "TA0040"
55name = "Impact"
56reference = "https://attack.mitre.org/tactics/TA0040/"
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1562"
61name = "Impair Defenses"
62reference = "https://attack.mitre.org/techniques/T1562/"
63[[rule.threat.technique.subtechnique]]
64id = "T1562.001"
65name = "Disable or Modify Tools"
66reference = "https://attack.mitre.org/techniques/T1562/001/"
67
68
69
70[rule.threat.tactic]
71id = "TA0005"
72name = "Defense Evasion"
73reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top