Azure Blob Storage soft delete disabled
Description
AlphaSOC detected disabling of blob soft delete on an Azure Storage account via
Microsoft.Storage/storageAccounts/blobServices/write. Soft delete provides
data protection by retaining deleted blobs for a specified period, enabling
recovery from accidental or malicious deletions. Disabling this feature removes
this safety net and may indicate preparation for data destruction attacks.
Impact
Disabling blob soft delete eliminates the ability to recover deleted data, making deletion operations permanent immediately. Threat actors may disable this protection before ransomware operations or destructive attacks to prevent data recovery. This reduces organizational resilience against data loss incidents.
Severity
| Severity | Condition |
|---|---|
Low | Blob soft delete disabled |
Investigation and Remediation
Review Azure Activity logs for the
Microsoft.Storage/storageAccounts/blobServices/write action where the
deleteRetentionPolicy.enabled property is set to false. Identify the
principal responsible and the storage account affected. Verify whether this
change was authorized and aligns with data retention policies.
If unauthorized, immediately re-enable soft delete on the affected storage account. Review the storage account for any recent deletions that may have been intended to be permanent by the threat actor. Rotate credentials for the compromised identity.