---
title: Azure Storage unusual spike in destructive operations
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Azure Storage unusual spike in
  destructive operations
---

# Azure Storage unusual spike in destructive operations
Classification:attackTactic:[TA0040-impact](https://attack.mitre.org/tactics/TA0040)Technique:[T1485-data-destruction](https://attack.mitre.org/techniques/T1485) 
## Goal{% #goal %}

Detect an unusual spike in destructive operations against Azure Storage resources.

## Strategy{% #strategy %}

This rule monitors Azure Storage logs for anomalous levels of deletion events including `MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE`, `DeleteContainer`, and `DeleteBlob` operations with a successful outcome. A spike significantly above baseline may indicate a compromised account performing mass data destruction, which is a common pattern in cloud ransomware attacks.

## Triage and response{% #triage-and-response %}

- Review the volume and scope of deletion operations performed [from`{{@network.client.ip](mailto:from%60%7b%7b@network.client.ip)}}` to assess the extent of potential data loss.
- Examine what specific storage accounts, containers, or blobs were targeted to understand the blast radius.
- Check for other suspicious activity from the same user.
- If the activity is not authorized, begin your organization's incident response plan.