Azure resource group mass deletion
Description
AlphaSOC detected mass resource deletion caused by an Azure resource group deletion. This triggers when multiple child resources are cascade-deleted within a short time window as a result of deleting the parent resource group.
Mass deletion of Azure resources indicates significant infrastructure changes that may represent destructive activity, an attempt to destroy evidence, or unauthorized cleanup of compromised resources.
Impact
Mass resource deletion can cause widespread operational disruption across multiple services and applications. Critical infrastructure components, databases, storage accounts, and networking resources may be permanently lost. Organizations may face extended downtime and data loss if adequate backups are not available.
Severity
| Severity | Condition |
|---|---|
Medium | Multiple resources cascade-deleted from resource group |
Investigation and Remediation
Review Azure Activity logs to identify the resource group deletion that triggered the cascade. Examine all resources that were deleted and the principal responsible. Verify if the deletion was authorized through change management processes.
If unauthorized, immediately investigate the compromised identity and review their other activities for signs of broader destructive attacks. Attempt recovery from backups where available. Implement resource locks on critical resource groups and configure alerts for resource group deletions. Consider requiring additional approval workflows for destructive operations.