Azure resource lock deleted

azure

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect when an Azure resource lock is deleted.

Strategy

Monitoring of Azure authorization logs where @evt.name is MICROSOFT.AUTHORIZATION/LOCKS/DELETE and @evt.outcome is Success. Resource locks prevent accidental deletion or modification of critical Azure resources. Removing a resource lock may be a precursor to unauthorized modifications or deletion of protected resources

Triage and response

  • Determine if {{@usr.id}} had a legitimate reason to delete the resource lock.
  • Identify which resource was unlocked and assess its criticality.
  • Review subsequent actions taken on the unlocked resource to determine if unauthorized modifications or deletions occurred.
  • Check for other suspicious activity from the same user or IP address around the same time.
  • Re-enable the resource lock if the change was unauthorized and verify no data loss has occurred.