Azure Storage Account Deletion by Unusual User

Last updated 11 days ago on 2025-10-08

Created 11 days ago on 2025-10-08

About

Identifies when an Azure Storage Account is deleted. Adversaries may delete storage accounts to disrupt operations, destroy evidence, or cause denial of service. This activity could indicate an attacker attempting to cover their tracks after data exfiltration or as part of a destructive attack. Monitoring storage account deletions is critical for detecting potential impact on business operations and data availability.

Tags

Domain: CloudDomain: StorageData Source: AzureData Source: Azure Activity LogsUse Case: Threat DetectionTactic: ImpactLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

↳ Data Destruction (T1485)(opens in a new tab or window)

↳ Service Stop (T1489)(opens in a new tab or window)

False Positive Examples

Storage administrators may legitimately delete storage accounts during decommissioning, resource cleanup, or infrastructure optimization. Verify that the deletion was expected and follows organizational change management processes. Consider exceptions for approved maintenance windows.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.activitylogs-*
Related Integrations: azure(opens in a new tab or window)
Query

event.dataset: azure.activitylogs and
    azure.activitylogs.operation_name: "MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE" and
    azure.activitylogs.identity.claims_initiated_by_user.name: *

Install detection rules in Elastic Security

Detect Azure Storage Account Deletion by Unusual User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).