Azure Mass Resource Deletion
Detection overview
Triggers
- Unusual pattern of deletion associated with various Azure cloud resources.
- Deletion of resources as part of legitimate downsizing or other supporting business use cases.
Possible Root Causes
- Malicious Activity: An attacker is attempting to disrupt operations by destroying critical resources in the Azure environment.
- Defensive Evasion: An attacker is removing Azure resources to hinder incident response and forensic investigations.
- Automated Workflows: An internal automated process is deploying and removing a significant volume of resources as part of normal operations.
Business Impact
- Mass deletion of resources poses a significant risk to business continuity and normal operations.
- Many Azure resources cannot be recovered once deleted, increasing the complexity and effort required to restore services.
Steps to Verify
- Investigate the Initiating Identity: Review the identity that performed the deletion for other signs of malicious activity.
- Validate Organizational Approval: Ensure that the removal of resources was sanctioned and aligns with internal policies.
Azure Mass Resource Deletion
Possible root causes
Malicious Detection
Benign Detection
Azure Mass Resource Deletion
Example scenarios
Azure Mass Resource Deletion
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Mass Resource Deletion
Steps to investigate
Azure Mass Resource Deletion
MITRE ATT&CK techniques covered
Azure Mass Resource Deletion
Related detections
No items found.