Unexpected Azure API calls indicating compute snapshot deletion
Description
AlphaSOC detected deletion of an Azure compute snapshot via
Microsoft.Compute/snapshots/delete. Snapshots are point-in-time copies of VM
disks used for backup and disaster recovery. Deleting snapshots may indicate an
attempt to prevent recovery after ransomware operations or to cover tracks by
removing evidence of previous system states.
Impact
Deleting compute snapshots eliminates backup and recovery options for virtual machines. Threat actors may target snapshots during ransomware operations to prevent victims from restoring systems without paying ransoms. Snapshot deletion can also remove forensic evidence of previous system states that could aid incident investigation.
Severity
| Severity | Condition |
|---|---|
Low | Compute snapshot deletion detected |
Medium | Anomalous compute snapshot deletion |
Investigation and Remediation
Review Azure Activity logs for the Microsoft.Compute/snapshots/delete action.
Identify which snapshots were deleted and the principal responsible. Verify
whether this was part of planned cleanup activities or an unauthorized action.
If unauthorized, assess the impact on disaster recovery capabilities for affected VMs. Review audit logs for related suspicious activities such as ransomware indicators. Rotate credentials for the compromised identity and implement resource locks or Azure Policy to protect critical snapshots from deletion.
Known False Positives
- Planned cleanup of outdated snapshots
- Cost optimization by removing unnecessary backups