---
title: Oracle fusion app mass resource deletion
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Oracle fusion app mass resource
  deletion
---

# Oracle fusion app mass resource deletion

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0040-impact](https://attack.mitre.org/tactics/TA0040)Technique:[T1485-data-destruction](https://attack.mitre.org/techniques/T1485) 
## Goal{% #goal %}

Detect repeated failed resource deletion attempts within an Oracle Fusion application, which may indicate a compromised account probing for destructive actions, a misconfigured automation job, or a user attempting unauthorized bulk changes.

## Strategy{% #strategy %}

This rule monitors Oracle Fusion audit logs (`source:oracle-fusion` and `service:oracle-fusion-audit`) for `ResourceDeletion` events that are not marked successful. It triggers a Medium severity signal when a single user account performs more than 50 failed resource deletion attempts within a 5-minute window. This pattern indicates abnormal bulk deletion activity.

## Triage and Response{% #triage-and-response %}

1. Identify the user `{{@usr.id}}` responsible for the deletion activity and determine whether the volume is consistent with legitimate business operations.
1. Review what resources were targeted for deletion and assess the potential business impact.
1. Determine why the deletion attempts are failing (permissions or policy issues, missing prerequisites, automation errors) and whether any successful deletions occurred around the same time.
1. If the activity is unauthorized, disable the account immediately and preserve audit logs for forensic review.
1. Escalate to your incident response process and initiate data recovery procedures if necessary.
