Azure Insights alert impaired
Description
AlphaSOC detected impairment of Azure Monitor alerts through deletion or
disabling of scheduled query rules or metric alerts. This includes
microsoft.insights/scheduledqueryrules/delete,
microsoft.insights/metricalerts/delete, or modification with the enabled
property set to false.
Azure Monitor alerts notify administrators of security events, performance issues, and resource anomalies. Adversaries may delete or disable alerts to prevent detection of malicious activities such as resource hijacking, unauthorized access, or data exfiltration.
Impact
Disabling or deleting monitoring alerts reduces visibility into security events and operational issues. Critical incidents such as resource abuse, cryptomining, or data breaches may go unnoticed until significant damage has occurred.
Severity
| Severity | Condition |
|---|---|
Low | Alert deleted or disabled |
Medium | Anomalous alert impairment |
Investigation and Remediation
Review Azure Activity logs for microsoft.insights/scheduledqueryrules and
microsoft.insights/metricalerts operations. Identify which alerts were deleted
or disabled and the principal responsible. Determine if the changes were
authorized as part of maintenance or decommissioning.
If unauthorized, restore the affected alerts from backup configurations or recreate them. Investigate the compromised identity for additional defense evasion activities. Implement Azure Policy to require approval for alert modifications and configure alerts on alert configuration changes.