Azure Application Deleted
Identifies when a application is deleted in Azure.
Sigma rule (View on GitHub)
1title: Azure Application Deleted
2id: 410d2a41-1e6d-452f-85e5-abdd8257a823
3status: test
4description: Identifies when a application is deleted in Azure.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
7author: Austin Songer @austinsonger
8date: 2021/09/03
9modified: 2022/10/09
10tags:
11 - attack.defense_evasion
12 - attack.impact
13 - attack.t1489
14logsource:
15 product: azure
16 service: activitylogs
17detection:
18 selection:
19 properties.message:
20 - Delete application
21 - Hard Delete application
22 condition: selection
23falsepositives:
24 - Application being deleted may be performed by a system administrator.
25 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
26 - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
27level: medium
References
Related rules
- Fsutil Suspicious Invocation
- Potential BlackByte Ransomware Activity
- Cisco File Deletion
- Secure Deletion with SDelete
- AWS CloudTrail Important Change