Azure Resource Group Deletion
Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/17"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is
13permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally
14destroy data.
15"""
16false_positives = [
17 """
18 Deletion of a resource group may be done by a system or network administrator. Verify whether the username,
19 hostname, and/or resource name should be making changes in your environment. Resource group deletions from
20 unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
21 from the rule.
22 """,
23]
24from = "now-25m"
25index = ["filebeat-*", "logs-azure*"]
26language = "kuery"
27license = "Elastic License v2"
28name = "Azure Resource Group Deletion"
29note = """## Setup
30
31The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
32references = [
33 "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal",
34]
35risk_score = 47
36rule_id = "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f"
37severity = "medium"
38tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Impact"]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success)
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1485"
51name = "Data Destruction"
52reference = "https://attack.mitre.org/techniques/T1485/"
53
54
55[rule.threat.tactic]
56id = "TA0040"
57name = "Impact"
58reference = "https://attack.mitre.org/tactics/TA0040/"
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1562"
63name = "Impair Defenses"
64reference = "https://attack.mitre.org/techniques/T1562/"
65[[rule.threat.technique.subtechnique]]
66id = "T1562.001"
67name = "Disable or Modify Tools"
68reference = "https://attack.mitre.org/techniques/T1562/001/"
69
70
71
72[rule.threat.tactic]
73id = "TA0005"
74name = "Defense Evasion"
75reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Command Execution on Virtual Machine
- Azure Event Hub Authorization Rule Created or Updated
- Azure Event Hub Deletion
- Azure Kubernetes Events Deleted
- Azure Kubernetes Pods Deleted