Azure Storage unusual spike in destructive operations

azure

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1485-data-destruction

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect an unusual spike in destructive operations against Azure Storage resources.

Strategy

This rule monitors Azure Storage logs for anomalous levels of deletion events including MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE, DeleteContainer, and DeleteBlob operations with a successful outcome. A spike significantly above baseline may indicate a compromised account performing mass data destruction, which is a common pattern in cloud ransomware attacks.

Triage and response

  • Review the volume and scope of deletion operations performed from`{{@network.client.ip}}` to assess the extent of potential data loss.
  • Examine what specific storage accounts, containers, or blobs were targeted to understand the blast radius.
  • Check for other suspicious activity from the same user.
  • If the activity is not authorized, begin your organization’s incident response plan.