(Mass) Cloud Resource Deletion
Cloud Resource Deletion
Query
let Threshold = 20;
let BinSize = 1d;
CloudAuditEvents
| where ActionType == "CloudAuditEventDelete"
| summarize TotalActions = count(), arg_max(Timestamp, *) by bin(Timestamp, BinSize), Account, DataSource
| where TotalActions > ThresholdAbout this query
(Mass) Cloud Resource Deletion
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1485 | Data Destruction | https://attack.mitre.org/techniques/T1485/ |
Description
This query can be used to detect (mass) resource deletion in your cloud environment. The query uses the Threshold and BinSize variables to trigger. The default is set to the deletion of 20 cloud resources in a timespan of 1 day, you can modify this to your needs.
Risk
An actor deletes multiple cloud resources to create impact.
References
Defender XDR
Explanation
This query is designed to detect significant deletions of cloud resources in your environment, which could indicate malicious activity. It focuses on identifying instances where a large number of resources are deleted within a specified time frame. By default, it looks for situations where more than 20 resources are deleted in a single day. You can adjust these parameters to better fit your specific monitoring needs. The query works by examining cloud audit events for deletion actions, counting how many deletions occur, and then flagging any instances where the count exceeds the set threshold. This helps in identifying potential data destruction activities that could be harmful to your cloud infrastructure.
