storage administrators may legitimately delete snapshots during routine maintenance, storage optimization, or cleanup of old backup data. verify that the deletion was expected and follows organizational data retention policies. consider exceptions for approved maintenance windows or automated retention management tools.

t1485
t1490
azure
elastic

Techniques

T1485
T1490

Sample rules

Azure Compute Snapshot Deletion by Unusual User and Resource Group

source: elastic
technicques:
- T1485
- T1490

Description

Identifies when an Azure disk snapshot is deleted by an unusual user in a specific resource group. Snapshots are critical for backup, disaster recovery, and forensic analysis. Adversaries may delete snapshots to prevent data recovery, eliminate forensic evidence, or disrupt backup strategies before executing ransomware or other destructive attacks. Monitoring snapshot deletions is essential for detecting potential attacks targeting backup and recovery capabilities.

Detection logic

event.dataset: azure.activitylogs and
    azure.activitylogs.operation_name: "MICROSOFT.COMPUTE/SNAPSHOTS/DELETE" and
    azure.activitylogs.properties.status_code: "Accepted" and
    azure.activitylogs.identity.claims_initiated_by_user.name: *