Azure Diagnostic Logging Disabled

Azure Diagnostic Logging Disabled

Detection overview

Triggers

  • Disabling or deleting Diagnostic logging for an Azure resource or subscription.

Possible Root Causes

  • Malicious Activity: An attacker has deleted Diagnostic logging to hide their tracks.
  • Administrative Change: An administrator has disabled Diagnostic logging as part of normal environmental changes.

Business Impact

  • Inability to detect future attacks, investigate past security incidents, or audit activity within the environment.
  • Increased risk of undetected malicious activity that may negatively impact business operations.

Steps to Verify

  • Analyze Subsequent Actions: Review the actions taken by the user after disabling or deleting Diagnostic logging to assess potential risks.
  • Check Logging Policies: Review security policies to determine if the removal of Diagnostic logging is permitted within the environment.
  • Validate Legitimacy: Discuss with the user to confirm whether the activity was intentional and authorized.
  • Respond to High-Risk Activity: If the review determines a high risk to data or the environment, disable the associated credentials and conduct a comprehensive investigation.
Azure Diagnostic Logging Disabled

Possible root causes

Malicious Detection

Benign Detection

Azure Diagnostic Logging Disabled

Example scenarios

Azure Diagnostic Logging Disabled

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Diagnostic Logging Disabled

Steps to investigate

Azure Diagnostic Logging Disabled

MITRE ATT&CK techniques covered

Azure Diagnostic Logging Disabled

Related detections

No items found.

FAQs