Azure API calls indicating Event Hub deletion
Description
AlphaSOC detected deletion of an Azure Event Hub namespace via
Microsoft.EventHub/namespaces/delete. Deleting an Event Hub namespace removes
all event hubs, consumer groups, and data within it.
Adversaries may delete Event Hub namespaces to disrupt logging pipelines, destroy evidence of malicious activity, or cause operational disruption to applications that depend on event streaming.
Impact
Event Hub deletion can disrupt critical logging and analytics infrastructure. Organizations may lose visibility into security events if Event Hubs are used for centralized log collection. Downstream systems depending on event streams may fail, and historical event data may be permanently lost if not backed up.
Severity
| Severity | Condition |
|---|---|
Low | Event Hub namespace deleted |
Medium | Anomalous Event Hub deletion |
Investigation and Remediation
Review Azure Activity logs for the Microsoft.EventHub/namespaces/delete
operation. Identify the principal that performed the deletion and verify if the
action was authorized. Assess the impact on downstream systems and logging
pipelines that depended on the deleted namespace.
If unauthorized, investigate the compromised identity for additional malicious activity. Review soft delete options for potential recovery. Restore logging infrastructure and implement RBAC policies to restrict Event Hub deletion to authorized administrators only.