Unexpected Azure API calls indicating resource group deletion
Description
AlphaSOC detected deletion of an Azure resource group via
Microsoft.Resources/subscriptions/resourceGroups/delete. Resource groups are
containers that hold related Azure resources such as virtual machines, storage
accounts, databases, and networking components.
Deleting a resource group removes all contained resources, potentially destroying critical infrastructure, evidence of attacks, or business data. Adversaries may delete resource groups to cause operational disruption or cover their tracks.
Impact
Resource group deletion results in the removal of all contained resources, potentially causing significant operational disruption. Critical infrastructure, application data, and security logs may be permanently lost if not backed up. Attackers may use this technique to destroy evidence of their activities or as part of a destructive attack.
Severity
| Severity | Condition |
|---|---|
Low | Resource group deletion detected |
Medium | Anomalous resource group deletion |
Investigation and Remediation
Review Azure Activity logs for
Microsoft.Resources/subscriptions/resourceGroups/delete events. Identify the
principal that performed the deletion and verify if it was authorized. Assess
the impact on contained resources and downstream dependencies.
If unauthorized, investigate the compromised identity for additional destructive activities. Attempt recovery from backups or Azure resource recovery options where available. Implement resource locks on critical resource groups and restrict delete permissions through RBAC.