Azure Mass Resource Deletion

Azure Mass Resource Deletion

Detection overview

Triggers

  • Unusual pattern of deletion associated with various Azure cloud resources.
  • Deletion of resources as part of legitimate downsizing or other supporting business use cases.

Possible Root Causes

  • Malicious Activity: An attacker is attempting to disrupt operations by destroying critical resources in the Azure environment.
  • Defensive Evasion: An attacker is removing Azure resources to hinder incident response and forensic investigations.
  • Automated Workflows: An internal automated process is deploying and removing a significant volume of resources as part of normal operations.

Business Impact

  • Mass deletion of resources poses a significant risk to business continuity and normal operations.
  • Many Azure resources cannot be recovered once deleted, increasing the complexity and effort required to restore services.

Steps to Verify

  • Investigate the Initiating Identity: Review the identity that performed the deletion for other signs of malicious activity.
  • Validate Organizational Approval: Ensure that the removal of resources was sanctioned and aligns with internal policies.
Azure Mass Resource Deletion

Possible root causes

Malicious Detection

Benign Detection

Azure Mass Resource Deletion

Example scenarios

Azure Mass Resource Deletion

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Mass Resource Deletion

Steps to investigate

Azure Mass Resource Deletion

MITRE ATT&CK techniques covered

Azure Mass Resource Deletion

Related detections

No items found.

FAQs