Azure Diagnostic Logging Disabled
Detection overview
Triggers
- Disabling or deleting Diagnostic logging for an Azure resource or subscription.
Possible Root Causes
- Malicious Activity: An attacker has deleted Diagnostic logging to hide their tracks.
- Administrative Change: An administrator has disabled Diagnostic logging as part of normal environmental changes.
Business Impact
- Inability to detect future attacks, investigate past security incidents, or audit activity within the environment.
- Increased risk of undetected malicious activity that may negatively impact business operations.
Steps to Verify
- Analyze Subsequent Actions: Review the actions taken by the user after disabling or deleting Diagnostic logging to assess potential risks.
- Check Logging Policies: Review security policies to determine if the removal of Diagnostic logging is permitted within the environment.
- Validate Legitimacy: Discuss with the user to confirm whether the activity was intentional and authorized.
- Respond to High-Risk Activity: If the review determines a high risk to data or the environment, disable the associated credentials and conduct a comprehensive investigation.
Azure Diagnostic Logging Disabled
Possible root causes
Malicious Detection
Benign Detection
Azure Diagnostic Logging Disabled
Example scenarios
Azure Diagnostic Logging Disabled
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Diagnostic Logging Disabled
Steps to investigate
Azure Diagnostic Logging Disabled
MITRE ATT&CK techniques covered
Azure Diagnostic Logging Disabled
Related detections
No items found.