Elastic Security Detection Rules

Azure Compute Snapshot Deletions by User

Last updated a month ago on 2025-10-10
Created a month ago on 2025-10-10

About

Identifies when a single user or service principal deletes multiple Azure disk snapshots within a short time period. This behavior may indicate an adversary attempting to inhibit system recovery capabilities, destroy backup evidence, or prepare for a ransomware attack. Mass deletion of snapshots eliminates restore points and significantly impacts disaster recovery capabilities, making it a critical indicator of potentially malicious activity.
Tags
Domain: CloudDomain: StorageData Source: AzureData Source: Azure Activity LogsUse Case: Threat DetectionTactic: ImpactLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

Data Destruction (T1485)(opens in a new tab or window)

Inhibit System Recovery (T1490)(opens in a new tab or window)

False Positive Examples
Infrastructure teams may legitimately delete multiple snapshots during planned maintenance, storage optimization, or cleanup of expired backup data according to retention policies. Verify that the deletion activity was expected and follows organizational change management processes. Consider exceptions for approved maintenance windows or automation service principals managing backup retention.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Threshold Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.activitylogs-*
Related Integrations

azure(opens in a new tab or window)

Query
event.dataset: azure.activitylogs and
    azure.activitylogs.operation_name: "MICROSOFT.COMPUTE/SNAPSHOTS/DELETE" and
    azure.activitylogs.properties.status_code: "Accepted" and
    azure.activitylogs.identity.claims_initiated_by_user.name: *

Install detection rules in Elastic Security

Detect Azure Compute Snapshot Deletions by User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).