planned decommissioning activities or large-scale infrastructure changes may result in legitimate bulk deletion of restore point collections. verify with the user and change management processes whether these deletions are authorized. large-scale migration or cleanup projects should be coordinated and documented to avoid false positives.

t1490
azure
elastic

Techniques

T1490

Sample rules

Azure Compute Restore Point Collections Deleted

source: elastic
technicques:
- T1490

Description

Identifies multiple Azure Restore Point Collections being deleted by a single user within a short time period. Restore Point Collections contain recovery points for virtual machines, enabling point-in-time recovery capabilities. Mass deletion of these collections is a common tactic used by adversaries during ransomware attacks to prevent victim recovery or to maximize impact during destructive operations. Multiple deletions in rapid succession may indicate malicious intent.

Detection logic

event.dataset: azure.activitylogs and
    event.action: "MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE" and
    event.outcome: (Success or success)