---
title: Azure Storage data protection settings disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Azure Storage data protection settings
  disabled
---

# Azure Storage data protection settings disabled
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detect when Azure Storage data protection settings such as soft delete or immutability policies are disabled or removed.

## Strategy{% #strategy %}

This rule monitors Azure Storage logs for two categories of data protection removal. The first tracks the disabling of soft delete with `MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/WRITE` events, where `@properties.requestbody.properties.deleteRetentionPolicy.enabled` or `@properties.requestbody.properties.containerDeleteRetentionPolicy.enabled` is set to `false`. The second tracks the removal of immutability policies with `MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/IMMUTABILITYPOLICIES/DELETE` events or `MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE` events, where `@properties.requestbody.properties.immutabilityPolicy.state` is set to `Disabled`. Disabling these protections removes safeguards that prevent data from being deleted or overwritten.

## Triage and response{% #triage-and-response %}

- Verify if `{{@usr.id}}` had a legitimate reason to modify data protection settings on the affected storage account.
- Identify which specific protection mechanism was disabled (soft delete, container soft delete, or immutability policy) and on which storage account.
- Review subsequent activity on the affected storage account for signs of mass deletion or data exfiltration.
- Check for other suspicious activity from the same user or IP address.
- Re-enable the data protection settings if the change was unauthorized and verify no data loss has occurred.