Azure Recovery Services Resource Deleted

Last updated 11 days ago on 2025-10-13

Created 11 days ago on 2025-10-13

About

Identifies the deletion of Azure Recovery Services resources. Azure Recovery Services vaults contain data for copies of VMs, workloads, servers, and other resources regarding Infrastructure as a Service (IaaS). Adversaries may delete these recovery services to impact backup capabilities during stable operations or to inhibit disaster recovery services during ransom-based attacks or operational disruptions.

Tags

Domain: CloudDomain: StorageData Source: AzureData Source: Azure Activity LogsUse Case: Threat DetectionTactic: ImpactRule Type: BBRLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

↳ Inhibit System Recovery (T1490)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.activitylogs-*filebeat-*
Related Integrations: azure(opens in a new tab or window)
Query

event.dataset:azure.activitylogs and
    azure.activitylogs.operation_name:MICROSOFT.RECOVERYSERVICES/*/DELETE and
    event.outcome:(Success or success)

Install detection rules in Elastic Security

Detect Azure Recovery Services Resource Deleted in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).