Azure Diagnostic settings removed from a resource

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This query looks for diagnostic settings that are removed from a resource. This could indicate an attacker or malicious internal trying to evade detection before malicious act is performed. If the diagnostic settings are being deleted as part of a parent resource deletion, the event is ignores.

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	6e95aef3-a1e0-4063-8e74-cd59aa59f245
Severity	Medium
Kind	Scheduled
Tactics	DefenseEvasion
Techniques	T1562.008
Required Connectors	AzureActivity
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
AzureActivity	?	✗	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
AzureActivity	Azure Activity

Solutions: Azure Activity

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules