Azure Storage unusual spike in destructive operations

azure

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1485-data-destruction

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect an unusual spike in destructive operations against Azure Storage resources.

Strategy

This rule monitors Azure Storage logs for anomalous levels of deletion events including MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE, DeleteContainer, and DeleteBlob operations with a successful outcome. A spike significantly above baseline may indicate a compromised account performing mass data destruction, which is a common pattern in cloud ransomware attacks.

Triage and response

  • Review the volume and scope of deletion operations performed from`{{@network.client.ip}}` to assess the extent of potential data loss.
  • Examine what specific storage accounts, containers, or blobs were targeted to understand the blast radius.
  • Check for other suspicious activity from the same user.
  • If the activity is not authorized, begin your organization’s incident response plan.