restore point collection deletions may be performed by system administrators during routine cleanup or decommissioning activities. verify whether the user and resource should be performing these operations. deletions from unfamiliar users or targeting critical resources should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1490
azure
elastic

Techniques

T1490

Sample rules

Azure Compute Restore Point Collection Deleted by Unusual User

source: elastic
technicques:
- T1490

Description

Identifies the deletion of Azure Restore Point Collections by a user who has not previously performed this activity. Restore Point Collections contain recovery points for virtual machines, enabling point-in-time recovery capabilities. Adversaries may delete these collections to prevent recovery during ransomware attacks or to cover their tracks during malicious operations.

Detection logic

event.dataset: azure.activitylogs and
    event.action: "MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE" and
    event.outcome: (Success or success)