---
title: Anomalous volume of cloud storage object deletions from a single source IP
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Anomalous volume of cloud storage
  object deletions from a single source IP
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Anomalous volume of cloud storage object deletions from a single source IP
Classification:attackTactic:[TA0040-impact](https://attack.mitre.org/tactics/TA0040)Technique:[T1485-data-destruction](https://attack.mitre.org/techniques/T1485) 
## Goal{% #goal %}

Detect an anomalous volume of cloud storage object deletions originating from a single source IP address.

## Strategy{% #strategy %}

This rule monitors cloud storage file activity (OCSF class `6005`) for delete operations (activity ID `7`) across AWS S3, Azure Storage, and GCP Cloud Storage. It uses anomaly detection to identify unusual spikes in deletion volume from a single source IP against a 24-hour baseline. Mass deletion of cloud storage objects may indicate a destructive attack aimed at disrupting operations, destroying evidence, or extorting the victim organization.

## Triage and response{% #triage-and-response %}

- Identify the source IP `{{@ocsf.src_endpoint.ip}}` and determine if it belongs to a known service, automation pipeline, or authorized user.
- Review the storage buckets and object paths targeted by the deletions to assess the scope and sensitivity of the affected data.
- Check whether the deletion volume correlates with a known lifecycle policy, scheduled cleanup job, or authorized data retention process.
- Examine authentication logs for the associated identity to determine if the session was established through normal authentication or potentially compromised credentials.
- Determine if the source IP performed other suspicious storage operations such as disabling versioning, modifying bucket policies, or writing ransom notes before or after the deletions.
- Verify whether affected storage buckets have versioning or soft-delete enabled to assess data recovery options.
