Technique ID | Title | Link |
---|---|---|
T1485 | Data Destruction | https://attack.mitre.org/techniques/T1485/ |
This query can be used to detect (mass) resource deletion in your cloud environment. The query uses the Threshold and BinSize variables to trigger. The default is set to the deletion of 20 cloud resources in a timespan of 1 day, you can modify this to your needs.
An actor deletes multiple cloud resources to create impact.
let Threshold = 20;
let BinSize = 1d;
CloudAuditEvents
| where ActionType == "CloudAuditEventDelete"
| summarize TotalActions = count(), arg_max(Timestamp, *) by bin(Timestamp, BinSize), Account, DataSource
| where TotalActions > Threshold