infrastructure teams may legitimately delete multiple snapshots during planned maintenance, storage optimization, or cleanup of expired backup data according to retention policies. verify that the deletion activity was expected and follows organizational change management processes. consider exceptions for approved maintenance windows or automation service principals managing backup retention.

t1485
t1490
azure
elastic

Techniques

T1485
T1490

Sample rules

Azure Compute Snapshot Deletions by User

source: elastic
technicques:
- T1485
- T1490

Description

Identifies when a single user or service principal deletes multiple Azure disk snapshots within a short time period. This behavior may indicate an adversary attempting to inhibit system recovery capabilities, destroy backup evidence, or prepare for a ransomware attack. Mass deletion of snapshots eliminates restore points and significantly impacts disaster recovery capabilities, making it a critical indicator of potentially malicious activity.

Detection logic

event.dataset: azure.activitylogs and
    azure.activitylogs.operation_name: "MICROSOFT.COMPUTE/SNAPSHOTS/DELETE" and
    azure.activitylogs.properties.status_code: "Accepted" and
    azure.activitylogs.identity.claims_initiated_by_user.name: *