Azure VNet flow logs deleted
Description
AlphaSOC detected the deletion of Azure Network Watcher flow logs. Threat actors
may delete flow log configurations using the
Microsoft.Network/networkWatchers/flowLogs/delete action to eliminate network
traffic visibility before conducting malicious activities. By removing flow
logging, attackers can perform malicious actions without those network flows
being captured and analyzed.
Impact
Deletion of Azure flow logs eliminates critical network visibility that security teams rely on for detecting and investigating threats. Attackers operating without flow logging can exfiltrate sensitive data to external IP addresses, establish persistence through reverse shells, conduct internal reconnaissance, or move laterally between resources without generating network traffic logs. The absence of flow logs prevents security teams from identifying unusual connection patterns, detecting data exfiltration to unknown destinations, or reconstructing attack timelines during incident response.
Severity
| Severity | Condition |
|---|---|
Low | Azure flow logs deleted |
Investigation and Remediation
Review Azure Activity logs to identify the
Microsoft.Network/networkWatchers/flowLogs/delete event and determine which
flow log configuration was deleted. Verify the principal (user, service
principal, or managed identity) that performed the deletion and check the source
IP address and user agent to confirm whether the activity originated from
expected infrastructure or authorized personnel.
If the deletion was unauthorized, immediately restore flow logging by recreating the flow log configuration with appropriate retention periods and storage account destinations. Review the time period when flow logging was disabled to identify what network activity occurred without visibility, and correlate with other log sources such as Azure Activity logs, application logs, and endpoint detection tools to detect potential malicious activities. Disable or rotate credentials for the compromised principal and review Azure RBAC assignments to remove excessive permissions on Network Watcher resources. Implement Azure Policy to enforce flow logging requirements on all critical NSGs and VNets.
Known False Positives
- Cost optimization initiatives removing flow logs from non-critical or development environments