Azure diagnostic setting deleted
Description
AlphaSOC detected the deletion of an Azure diagnostic setting. Diagnostic settings control the collection and forwarding of platform logs, metrics, and activity logs to destinations such as Log Analytics workspaces, Event Hubs, or storage accounts. Adversaries may delete diagnostic settings to disable logging and monitoring, impairing security visibility and forensic capabilities.
Impact
Deleting diagnostic settings removes security monitoring capabilities for Azure resources. Without these logs, security teams lose visibility into resource access patterns, configuration changes, and potential security incidents. This can allow attackers to perform malicious activities undetected and complicate incident response and forensic investigations.
Severity
| Severity | Condition |
|---|---|
Medium | Azure diagnostic setting deleted |
Investigation and Remediation
Review Azure Activity logs to identify the
microsoft.insights/diagnosticSettings/delete event. Determine which resource's
diagnostic settings were deleted and identify the principal responsible for the
action.
If unauthorized, immediately recreate the diagnostic settings to restore logging. Review other diagnostic configurations across the environment for similar unauthorized changes. Rotate credentials for the compromised identity and audit RBAC assignments to restrict permissions for managing diagnostic settings. Implement Azure Policy to prevent deletion of diagnostic settings on critical resources.
Known False Positives
- Administrators consolidating or reorganizing logging configurations
- Cost optimization activities in non-production environments
- Infrastructure changes during resource decommissioning