Summary

Missing detections for unusual storage account deletions via MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE operation in Azure. Storage Accounts in Azure are created as a container for specific Azure storage types such as Blob, File, Table, etc. These storage types are tied specifically to storage accounts and thus the deletion of them can impact operations. Adversaries, such as STORM-0501 carry out ransom-based operations that involve deleting storage accounts to make data inaccessible.

Detection Rules: Since storage account deletion is not uncommon by administrators or even IaC efforts the introduced rules should be a mix of New Terms and Threshold-based. New Terms on an unexpected user deleting a storage account and threshold on > 5 storage accounts being deleted. The threshold here is arbitrary but would warrant investigation. For New Terms, while it may flag on an FP such as maintanance or testing, it should reduce volume significantly if it's the same user.

Ref: https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/