Azure Compute Restore Point Collections Deleted

Last updated 6 days ago on 2025-10-13

Created 6 days ago on 2025-10-13

About

Identifies multiple Azure Restore Point Collections being deleted by a single user within a short time period. Restore Point Collections contain recovery points for virtual machines, enabling point-in-time recovery capabilities. Mass deletion of these collections is a common tactic used by adversaries during ransomware attacks to prevent victim recovery or to maximize impact during destructive operations. Multiple deletions in rapid succession may indicate malicious intent.

Tags

Domain: CloudDomain: StorageData Source: AzureData Source: Azure Activity LogsUse Case: Threat DetectionTactic: ImpactLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

↳ Inhibit System Recovery (T1490)(opens in a new tab or window)

False Positive Examples

Planned decommissioning activities or large-scale infrastructure changes may result in legitimate bulk deletion of Restore Point Collections. Verify with the user and change management processes whether these deletions are authorized. Large-scale migration or cleanup projects should be coordinated and documented to avoid false positives.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Threshold Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.activitylogs-*filebeat-*
Related Integrations: azure(opens in a new tab or window)
Query

event.dataset: azure.activitylogs and
    event.action: "MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE" and
    event.outcome: (Success or success)

Install detection rules in Elastic Security

Detect Azure Compute Restore Point Collections Deleted in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).