[New Rule] Azure Compute Restore Point Collection Deleted #5216
Description
Summary
Missing detections for Azure Compute Restore Point Collection deletions by an unusual user or hitting a threshold. Azure Compute Restore Point Collections are critical components for disaster recovery, containing snapshots that enable point-in-time recovery of virtual machines. Deletion of these collections can severely impact an organization's ability to recover from incidents, making them attractive targets for adversaries conducting ransomware attacks or attempting to cover their tracks.
Observed in STORM-0501 ransom-based operation as reported by MSFT.
Restore Point Collections can be more impactful than snapshots and thus we decided to not make this a building block rule. New Terms rule flags only if the specific resource group and UPN have not been seen before doing deletions - eliminating FP volume if maintenace or data migration is taking place. However, if a user is not commonly deleting restore point collections in a specific RG, it will still flag. For threshold, if a single user has deleted >= 3 restore point collections, then flag. The thresholds can be adjusted accordingly by customers or increased OOTB over time.
Emulation has been completed to test the following query:
event.dataset: azure.activitylogs and
event.action: "MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/DELETE" and
event.outcome: (Success or success)