Azure Application Deleted

Apr 28, 2026 · attack.impact attack.t1489 ·

Identifies when a application is deleted in Azure.

Sigma rule (View on GitHub)

 1title: Azure Application Deleted
 2id: 410d2a41-1e6d-452f-85e5-abdd8257a823
 3status: test
 4description: Identifies when a application is deleted in Azure.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
 7author: Austin Songer @austinsonger
 8date: 2021-09-03
 9modified: 2022-10-09
10tags:
11    - attack.impact
12    - attack.t1489
13logsource:
14    product: azure
15    service: activitylogs
16detection:
17    selection:
18        properties.message:
19            - Delete application
20            - Hard Delete application
21    condition: selection
22falsepositives:
23    - Application being deleted may be performed by a system administrator.
24    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
25    - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
26level: medium

References

Microsoft Entra audit log activity reference - Microsoft Entra ID

Get an overview of the audit activities that can be logged in your audit logs in Microsoft Entra ID.

Read More

Azure Application Deleted

Sigma rule (View on GitHub)

References

Microsoft Entra audit log activity reference - Microsoft Entra ID

Related rules