Azure Datadog Log Forwarder Deleted

azure

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.

Strategy

Monitor Azure logs where @evt.name is "MICROSOFT.WEB/SITES/DELETE", @evt.outcome is Success, and the @resourceID contains DATADOG and LOG. This rule does not work if the the Azure resource group or Azure function does not contain DATADOG or LOG.

Triage and response

  1. Verify the Azure function (@resourceId) is responsible for forwarding logs to Datadog.
  2. Determine if there is a legitimate reason for deleting the Azure function.
  3. If activity is not expected, investigate activity from the service principal (@identity.authorization.evidence) or user ({{@usr.id}}).