Azure Compute Restore Point Collection Deleted by Unusual User

Last updated 6 days ago on 2025-10-13

Created 6 days ago on 2025-10-13

About

Identifies the deletion of Azure Restore Point Collections by a user who has not previously performed this activity. Restore Point Collections contain recovery points for virtual machines, enabling point-in-time recovery capabilities. Adversaries may delete these collections to prevent recovery during ransomware attacks or to cover their tracks during malicious operations.

Tags

Domain: CloudDomain: StorageData Source: AzureData Source: Azure Activity LogsUse Case: Threat DetectionTactic: ImpactLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

↳ Inhibit System Recovery (T1490)(opens in a new tab or window)

False Positive Examples

Restore Point Collection deletions may be performed by system administrators during routine cleanup or decommissioning activities. Verify whether the user and resource should be performing these operations. Deletions from unfamiliar users or targeting critical resources should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.activitylogs-*filebeat-*
Related Integrations: azure(opens in a new tab or window)
Query

event.dataset: azure.activitylogs and
    event.action: "MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE" and
    event.outcome: (Success or success)

Install detection rules in Elastic Security

Detect Azure Compute Restore Point Collection Deleted by Unusual User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).