Azure Resource Group Deletion

Last updated 7 days ago on 2025-09-26

Created 5 years ago on 2020-08-17

About

Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.

Tags

Domain: CloudData Source: AzureUse Case: Log AuditingTactic: ImpactLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

↳ Data Destruction (T1485)(opens in a new tab or window)

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Impair Defenses (T1562)(opens in a new tab or window)

False Positive Examples

Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.activitylogs-*filebeat-*
Related Integrations: azure(opens in a new tab or window)
Query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success)

Install detection rules in Elastic Security

Detect Azure Resource Group Deletion in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).