AZT705 - Azure Backup Delete

An adversary may delete data within the Recovery Service Vault, which houses backup data.

Resource

Recovery Service Vaults

Actions

• Microsoft.RecoveryServices/Vaults/delete

• Microsoft.RecoveryServices/Vaults/read

Examples

Az PowerShellAzure CLIAzure Portal

• Remove-AzRecoveryServicesVault

• az backup vault delete

Detections

Logs

Data Source	Operation Name	Action	Log Provider
Resource	Delete	Microsoft.RecoveryServices/Vaults/delete	AzureActivity

Queries

Platform	Query
Log Analytics	AzureActivity | where ResourceProviderValue == "MICROSOFT.RECOVERYSERVICES" and OperationNameValue contains "Delete"

Additional Resources