Azure Storage data protection settings disabled

azure

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Goal

Detect when Azure Storage data protection settings such as soft delete or immutability policies are disabled or removed.

Strategy

This rule monitors Azure Storage logs for two categories of data protection removal. The first tracks the disabling of soft delete with MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/WRITE events, where @properties.requestbody.properties.deleteRetentionPolicy.enabled or @properties.requestbody.properties.containerDeleteRetentionPolicy.enabled is set to false. The second tracks the removal of immutability policies with MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/IMMUTABILITYPOLICIES/DELETE events or MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE events, where @properties.requestbody.properties.immutabilityPolicy.state is set to Disabled. Disabling these protections removes safeguards that prevent data from being deleted or overwritten.

Triage and response

  • Verify if {{@usr.id}} had a legitimate reason to modify data protection settings on the affected storage account.
  • Identify which specific protection mechanism was disabled (soft delete, container soft delete, or immutability policy) and on which storage account.
  • Review subsequent activity on the affected storage account for signs of mass deletion or data exfiltration.
  • Check for other suspicious activity from the same user or IP address.
  • Re-enable the data protection settings if the change was unauthorized and verify no data loss has occurred.