Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
The query identifies any efforts by an attacker to delete backup containers, while also searching for any security alerts that may be linked to the same activity, in order to uncover additional information about the attacker's actions.' Though such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Microsoft Defender for Cloud |
| ID | 011c84d8-85f0-4370-b864-24c13455aa94 |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | Impact |
| Techniques | T1496 |
| Required Connectors | AzureSecurityCenter, MicrosoftDefenderForCloudTenantBased |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
CoreAzureBackup |
State == "Deleted" |
✓ | ✗ | ? |
SecurityAlert |
✓ | ✗ | ✓ |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Analytic Rules · Back to Microsoft Defender for Cloud