Azure API calls indicating Storage account deletion
Description
AlphaSOC detected deletion of an Azure Storage account via
Microsoft.Storage/storageAccounts/delete. Adversaries may delete storage
accounts to destroy data, disrupt services, or remove evidence of their
activities. Storage account deletion can have severe operational impacts if
critical data or application assets are lost.
Impact
Storage account deletion results in permanent loss of all contained data if soft delete is not enabled. Applications depending on the storage account will fail, potentially causing widespread service outages. Backups, logs, and other critical data stored in the account may be permanently lost.
Severity
| Severity | Condition |
|---|---|
Low | Storage account deletion detected |
Medium | Anomalous storage account deletion |
Investigation and Remediation
Review Azure Activity logs for Microsoft.Storage/storageAccounts/delete
events. Identify who deleted the storage account and determine if it was
authorized. Assess the impact on applications and services that depended on the
storage account.
If unauthorized, attempt recovery through soft delete if available. Investigate the principal's other activities for signs of broader destructive attacks. Implement resource locks on critical storage accounts and restrict delete permissions through RBAC. Enable soft delete for blob and container recovery.