kqlMITfrom Azure/Azure-Sentinel
Azure Diagnostic settings removed from a resource
'This query looks for diagnostic settings that are removed from a resource. This could indicate an attacker or malicious internal trying to evade detection before malicious act is performed. If the diagnostic settings are being deleted as part of a parent resource deletion, the event is ignores.'
Quality
90
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourceDetections/AzureActivity/AzDiagSettingsDeleted.yaml
AzureActivity
| where OperationNameValue =~ "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE"
| summarize
TimeGenerated = arg_max(TimeGenerated, Properties),
ActivityStatusValue = make_set(ActivityStatusValue, 5),
take_any(Caller, CallerIpAddress, OperationName, ResourceGroup, Resource)
by CorrelationId, _ResourceId, OperationNameValue
| extend ResourceHierarchy = split(_ResourceId, "/")
| extend MonitoredResourcePath = strcat_array(array_slice(ResourceHierarchy, 0, array_length(ResourceHierarchy)-5), "/")
| join kind=leftanti (
AzureActivity
| where OperationNameValue !~ "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and OperationNameValue endswith "/DELETE" and ActivityStatusValue has_any ("Success", "Succeeded")
| project _ResourceId
) on $left.MonitoredResourcePath == $right._ResourceId
| extend
Name = iif(Caller has "@", tostring(split(Caller, "@")[0]), ""),
UPNSuffix = iif(Caller has "@", tostring(split(Caller, "@")[1]), ""),
AadUserId = iif(Caller has "@", "", Caller)
| project TimeGenerated, Caller, CallerIpAddress, OperationNameValue, OperationName, ActivityStatusValue, ResourceGroup, MonitoredResourcePath, Resource, Properties, Name, UPNSuffix, AadUserId, _ResourceId, CorrelationId