infrastructure teams may legitimately delete multiple storage accounts during planned decommissioning, resource cleanup, or large-scale infrastructure optimization. verify that the deletion activity was expected and follows organizational change management processes. consider exceptions for approved maintenance windows or automation service principals.

t1485
t1489
azure
elastic

Techniques

T1485
T1489

Sample rules

Azure Storage Account Deletions by User

source: elastic
technicques:
- T1485
- T1489

Description

Identifies when a single user or service principal deletes multiple Azure Storage Accounts within a short time period. This behavior may indicate an adversary attempting to cause widespread service disruption, destroy evidence, or execute a destructive attack such as ransomware. Mass deletion of storage accounts can have severe business impact and is rarely performed by legitimate administrators except during controlled decommissioning activities.

Detection logic

event.dataset: azure.activitylogs and
    azure.activitylogs.operation_name: "MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE" and
    azure.activitylogs.identity.claims_initiated_by_user.name: *