Azure resource lock deleted

azure

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an Azure resource lock is deleted.

Strategy

Monitoring of Azure authorization logs where @evt.name is MICROSOFT.AUTHORIZATION/LOCKS/DELETE and @evt.outcome is Success. Resource locks prevent accidental deletion or modification of critical Azure resources. Removing a resource lock may be a precursor to unauthorized modifications or deletion of protected resources

Triage and response

  • Determine if {{@usr.id}} had a legitimate reason to delete the resource lock.
  • Identify which resource was unlocked and assess its criticality.
  • Review subsequent actions taken on the unlocked resource to determine if unauthorized modifications or deletions occurred.
  • Check for other suspicious activity from the same user or IP address around the same time.
  • Re-enable the resource lock if the change was unauthorized and verify no data loss has occurred.