---
title: Azure resource lock deleted
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Azure resource lock deleted
---

# Azure resource lock deleted
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detect when an Azure resource lock is deleted.

## Strategy{% #strategy %}

Monitoring of Azure authorization logs where `@evt.name` is `MICROSOFT.AUTHORIZATION/LOCKS/DELETE` and `@evt.outcome` is `Success`. Resource locks prevent accidental deletion or modification of critical Azure resources. Removing a resource lock may be a precursor to unauthorized modifications or deletion of protected resources

## Triage and response{% #triage-and-response %}

- Determine if `{{@usr.id}}` had a legitimate reason to delete the resource lock.
- Identify which resource was unlocked and assess its criticality.
- Review subsequent actions taken on the unlocked resource to determine if unauthorized modifications or deletions occurred.
- Check for other suspicious activity from the same user or IP address around the same time.
- Re-enable the resource lock if the change was unauthorized and verify no data loss has occurred.