Azure Resource Group Deletion
Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/17"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is
11permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally
12destroy data.
13"""
14false_positives = [
15 """
16 Deletion of a resource group may be done by a system or network administrator. Verify whether the username,
17 hostname, and/or resource name should be making changes in your environment. Resource group deletions from
18 unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
19 from the rule.
20 """,
21]
22from = "now-25m"
23index = ["filebeat-*", "logs-azure*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Azure Resource Group Deletion"
27note = """## Triage and analysis
28
29> **Disclaimer**:
30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
31
32### Investigating Azure Resource Group Deletion
33
34Azure Resource Groups are containers that hold related resources for an Azure solution, enabling efficient management and organization. Adversaries may exploit this by deleting entire groups to disrupt services or erase data, causing significant impact. The detection rule monitors Azure activity logs for successful deletion operations, flagging potential malicious actions for further investigation.
35
36### Possible investigation steps
37
38- Review the Azure activity logs to confirm the deletion event by checking for the operation name "MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and ensure the event outcome is marked as "Success" or "success".
39- Identify the user or service principal responsible for the deletion by examining the associated user identity or service principal ID in the activity logs.
40- Check the timestamp of the deletion event to determine when the resource group was deleted and correlate this with any other suspicious activities around the same time.
41- Investigate the resources contained within the deleted resource group to assess the potential impact, including any critical services or data that may have been affected.
42- Review any recent changes in permissions or roles assigned to the user or service principal involved in the deletion to identify potential privilege escalation or misuse.
43- Examine any related alerts or logs for unusual activities or patterns that might indicate a broader attack or compromise within the Azure environment.
44
45### False positive analysis
46
47- Routine maintenance activities by IT teams may trigger alerts when resource groups are intentionally deleted as part of regular updates or infrastructure changes. To manage this, create exceptions for known maintenance windows or specific user accounts responsible for these tasks.
48- Automated scripts or deployment tools that manage resource lifecycles might delete resource groups as part of their normal operation. Identify these scripts and exclude their activity from alerts by filtering based on the service principal or automation account used.
49- Testing environments often involve frequent creation and deletion of resource groups. Exclude these environments from alerts by tagging them appropriately and configuring the detection rule to ignore actions on tagged resources.
50- Mergers or organizational restructuring can lead to legitimate resource group deletions. Coordinate with relevant departments to anticipate these changes and temporarily adjust monitoring rules to prevent false positives.
51- Ensure that any third-party services or consultants with access to your Azure environment are accounted for, as their activities might include resource group deletions. Establish clear communication channels to verify their actions and adjust monitoring rules accordingly.
52
53### Response and remediation
54
55- Immediately isolate the affected Azure subscription to prevent further unauthorized actions. This can be done by temporarily disabling access or applying strict access controls.
56- Review and revoke any suspicious or unauthorized access permissions associated with the affected resource group to prevent further exploitation.
57- Restore the deleted resources from backups if available. Ensure that backup and recovery processes are validated and functioning correctly.
58- Conduct a thorough audit of recent Azure activity logs to identify any other potentially malicious actions or compromised accounts.
59- Escalate the incident to the security operations team for a detailed investigation and to determine if there are broader implications or related threats.
60- Implement additional monitoring and alerting for similar deletion activities across all Azure subscriptions to enhance early detection of such threats.
61- Review and strengthen access management policies, ensuring that only authorized personnel have the necessary permissions to delete resource groups.
62
63## Setup
64
65The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
66references = [
67 "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal",
68]
69risk_score = 47
70rule_id = "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f"
71severity = "medium"
72tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Impact", "Resources: Investigation Guide"]
73timestamp_override = "event.ingested"
74type = "query"
75
76query = '''
77event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success)
78'''
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1485"
85name = "Data Destruction"
86reference = "https://attack.mitre.org/techniques/T1485/"
87
88
89[rule.threat.tactic]
90id = "TA0040"
91name = "Impact"
92reference = "https://attack.mitre.org/tactics/TA0040/"
93[[rule.threat]]
94framework = "MITRE ATT&CK"
95[[rule.threat.technique]]
96id = "T1562"
97name = "Impair Defenses"
98reference = "https://attack.mitre.org/techniques/T1562/"
99[[rule.threat.technique.subtechnique]]
100id = "T1562.001"
101name = "Disable or Modify Tools"
102reference = "https://attack.mitre.org/techniques/T1562/001/"
103
104
105
106[rule.threat.tactic]
107id = "TA0005"
108name = "Defense Evasion"
109reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Azure Resource Group Deletion
Azure Resource Groups are containers that hold related resources for an Azure solution, enabling efficient management and organization. Adversaries may exploit this by deleting entire groups to disrupt services or erase data, causing significant impact. The detection rule monitors Azure activity logs for successful deletion operations, flagging potential malicious actions for further investigation.
Possible investigation steps
- Review the Azure activity logs to confirm the deletion event by checking for the operation name "MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and ensure the event outcome is marked as "Success" or "success".
- Identify the user or service principal responsible for the deletion by examining the associated user identity or service principal ID in the activity logs.
- Check the timestamp of the deletion event to determine when the resource group was deleted and correlate this with any other suspicious activities around the same time.
- Investigate the resources contained within the deleted resource group to assess the potential impact, including any critical services or data that may have been affected.
- Review any recent changes in permissions or roles assigned to the user or service principal involved in the deletion to identify potential privilege escalation or misuse.
- Examine any related alerts or logs for unusual activities or patterns that might indicate a broader attack or compromise within the Azure environment.
False positive analysis
- Routine maintenance activities by IT teams may trigger alerts when resource groups are intentionally deleted as part of regular updates or infrastructure changes. To manage this, create exceptions for known maintenance windows or specific user accounts responsible for these tasks.
- Automated scripts or deployment tools that manage resource lifecycles might delete resource groups as part of their normal operation. Identify these scripts and exclude their activity from alerts by filtering based on the service principal or automation account used.
- Testing environments often involve frequent creation and deletion of resource groups. Exclude these environments from alerts by tagging them appropriately and configuring the detection rule to ignore actions on tagged resources.
- Mergers or organizational restructuring can lead to legitimate resource group deletions. Coordinate with relevant departments to anticipate these changes and temporarily adjust monitoring rules to prevent false positives.
- Ensure that any third-party services or consultants with access to your Azure environment are accounted for, as their activities might include resource group deletions. Establish clear communication channels to verify their actions and adjust monitoring rules accordingly.
Response and remediation
- Immediately isolate the affected Azure subscription to prevent further unauthorized actions. This can be done by temporarily disabling access or applying strict access controls.
- Review and revoke any suspicious or unauthorized access permissions associated with the affected resource group to prevent further exploitation.
- Restore the deleted resources from backups if available. Ensure that backup and recovery processes are validated and functioning correctly.
- Conduct a thorough audit of recent Azure activity logs to identify any other potentially malicious actions or compromised accounts.
- Escalate the incident to the security operations team for a detailed investigation and to determine if there are broader implications or related threats.
- Implement additional monitoring and alerting for similar deletion activities across all Azure subscriptions to enhance early detection of such threats.
- Review and strengthen access management policies, ensuring that only authorized personnel have the necessary permissions to delete resource groups.
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS KMS Customer Managed Key Disabled or Scheduled for Deletion
- Azure Command Execution on Virtual Machine
- Azure Event Hub Authorization Rule Created or Updated
- Azure Event Hub Deletion
- Azure Kubernetes Events Deleted