For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-0b3.md. A documentation index is available at /llms.txt.

Azure resource lock deleted

azure

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Goal

Detect when an Azure resource lock is deleted.

Strategy

Monitoring of Azure authorization logs where @evt.name is MICROSOFT.AUTHORIZATION/LOCKS/DELETE and @evt.outcome is Success. Resource locks prevent accidental deletion or modification of critical Azure resources. Removing a resource lock may be a precursor to unauthorized modifications or deletion of protected resources

Triage and response

  • Determine if {{@usr.id}} had a legitimate reason to delete the resource lock.
  • Identify which resource was unlocked and assess its criticality.
  • Review subsequent actions taken on the unlocked resource to determine if unauthorized modifications or deletions occurred.
  • Check for other suspicious activity from the same user or IP address around the same time.
  • Re-enable the resource lock if the change was unauthorized and verify no data loss has occurred.