Azure Backup vault modified
Description
AlphaSOC detected modifications to an Azure Backup Vault (Recovery Services vault). Adversaries may modify backup configurations to weaken disaster recovery capabilities, potentially as a precursor to ransomware or data destruction attacks. Changes to backup policies, retention settings, or replication configurations can significantly impact recovery options.
Impact
Unauthorized backup vault modifications can compromise disaster recovery capabilities by reducing retention periods, disabling backup schedules, or altering replication settings. These changes may leave critical data unprotected and irrecoverable in the event of a ransomware attack or data destruction incident.
Severity
| Severity | Condition |
|---|---|
Low | Backup vault modification by user for first time |
Investigation and Remediation
Review the specific changes made to the backup vault configuration. Verify the identity of the user who made the modifications and confirm the action was authorized. Check for changes to retention policies, backup schedules, or replication settings. If unauthorized changes are detected, restore the original configuration and investigate the user's account for compromise.
Known False Positives
- Legitimate backup policy adjustments by administrators
- Cost optimization efforts reducing retention periods
- Migration or reorganization of backup infrastructure