<  Back to rules search

Azure Datadog Log Forwarder Deleted

azure

Classification:

attack

Tactic:

Technique:

Set up the azure integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.

Strategy

Monitor Azure logs where @evt.name is "MICROSOFT.WEB/SITES/DELETE", @evt.outcome is Success, and the @resourceID contains DATADOG and LOG. This rule does not work if the the Azure resource group or Azure function does not contain DATADOG or LOG.

Triage and response

  1. Verify the Azure function (@resourceId) is responsible for forwarding logs to Datadog.
  2. Determine if there is a legitimate reason for deleting the Azure function.
  3. If activity is not expected, investigate activity from the service principal (@identity.authorization.evidence) or user ({{@usr.id}}).