[New Rule] Azure Compute Snapshot Deletion(s) #5210
Description
Summary
Per MSFT report for STORM-0501, unusual deletion of disk snapshots in Azure Compute were key indicators of data destruction prior to ransom demands. We are missing coverage for unusual snapshot deletions. Due to the legitimacy of this activity among maintance, migration, etc. we can focus on New Terms and Threshold. New Terms on the UPN and resource group that will identify unusual instances when an uncommon user deletes snapshots in a resource group they typically don't conduct maintance in occurs. For threshold, it's common to have 2-3 snapshots for VM disks, as a result if we notice a single UPN deleting >= 3 snapshots in a 10-minute window, flag this anomaly.
We do expect moderate false-positives over time for these rules as they signal on legitimate operations, however, these rule types should help reduce false-positive volume for scenarios such as maintenance, data migration, testing, etc. Tuning will be dependant on client IDs or specific metadata in identity claims, but we expect users to add their own exceptions as well.
Emulation has been completed for this behavior to test the following query on real data.
event.dataset: azure.activitylogs and
azure.activitylogs.operation_name: "MICROSOFT.COMPUTE/SNAPSHOTS/DELETE" and
azure.activitylogs.properties.status_code: "Accepted" and
azure.activitylogs.identity.claims_initiated_by_user.name: *