Azure Application Deleted

Aug 12, 2024 · attack.defense-evasion attack.impact attack.t1489 ·

Identifies when a application is deleted in Azure.

Sigma rule (View on GitHub)

 1title: Azure Application Deleted
 2id: 410d2a41-1e6d-452f-85e5-abdd8257a823
 3status: test
 4description: Identifies when a application is deleted in Azure.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
 7author: Austin Songer @austinsonger
 8date: 2021-09-03
 9modified: 2022-10-09
10tags:
11    - attack.defense-evasion
12    - attack.impact
13    - attack.t1489
14logsource:
15    product: azure
16    service: activitylogs
17detection:
18    selection:
19        properties.message:
20            - Delete application
21            - Hard Delete application
22    condition: selection
23falsepositives:
24    - Application being deleted may be performed by a system administrator.
25    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
26    - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
27level: medium

References

Microsoft Entra audit log activity reference - Microsoft Entra ID

Get an overview of the audit activities that can be logged in your audit logs in Microsoft Entra ID.

Read More

Azure Application Deleted

Sigma rule (View on GitHub)

References

Microsoft Entra audit log activity reference - Microsoft Entra ID

Related rules