Azure Network Watcher deleted
Description
AlphaSOC detected the deletion of an Azure Network Watcher. Network Watcher provides monitoring and diagnostic capabilities for Azure networks, including flow logs, packet captures, and connection troubleshooting. Adversaries may delete Network Watcher to disable network logging and evade detection of their activities.
Impact
Deleting Network Watcher eliminates critical network monitoring and diagnostic capabilities. This action disables flow logs, connection monitors, and other network visibility tools, making it difficult to detect network-based attacks, investigate security incidents, or troubleshoot connectivity issues.
Severity
| Severity | Condition |
|---|---|
Low | Azure Network Watcher deleted |
Investigation and Remediation
Determine which Network Watcher was deleted and the associated region. Verify the identity of the user who deleted it and confirm the action was authorized. Recreate the Network Watcher immediately to restore monitoring capabilities. Investigate recent network activity and the user's account for signs of compromise.
Known False Positives
- Cleanup of resources in decommissioned regions
- Infrastructure reorganization moving to different monitoring solutions
- Automated cleanup of unused resources