Azure account deletion by a non-standard account

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • AzureAD Audit Log

Detection Modules

Identity Threat Module

Detector Tags

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Account Access Removal (T1531)

Severity

Low

Description

An Azure AD account deletion was performed by a user that doesn't typically delete users.

Attacker's Goals

Interrupt availability and access to Azure by deleting access accounts.

Investigative actions

  • Follow further actions by the initiator.
  • Check what services, groups and applications are affected by the deleted user being removed.
  • Check if the deleted user had a privileged role.

Variations

Azure account deletion by a non-standard account with high administrative activity

Synopsis

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Account Access Removal (T1531)

Severity

Informational

Description

An Azure AD account deletion was performed by an identity with high administrative activity that doesn't typically delete users.

Attacker's Goals

Interrupt availability and access to Azure by deleting access accounts.

Investigative actions

  • Follow further actions by the initiator.
  • Check what services, groups and applications are affected by the deleted user being removed.
  • Check if the deleted user had a privileged role.


A suspicious Azure account deletion by a non-standard account

Synopsis

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Account Access Removal (T1531)

Severity

Medium

Description

An Azure AD account deletion was performed by a user that doesn't typically delete users in a suspicious manner.

Attacker's Goals

Interrupt availability and access to Azure by deleting access accounts.

Investigative actions

  • Follow further actions by the initiator.
  • Check what services, groups and applications are affected by the deleted user being removed.
  • Check if the deleted user had a privileged role.