Skip to content
TheCloud.Events

Microsoft.Insights/activityLogAlerts/delete

CSP: Azure
Tactics:
Defense Evasion
Techniques:
T1562.001
Tags:
Azure Monitor

Event

Deletes an activity log alert rule, disabling security detection and notification capabilities.

Security Context

  • Activity log alerts trigger notifications when specific operations occur in the Azure subscription; deleting them blinds the security team to critical events like role assignments, resource deletions, or policy changes.
  • Adversaries delete alert rules to prevent automated detection and notification of their subsequent actions, ensuring that security teams are not alerted during the attack.

Log Source

Azure Activity Log

Sample Event

MITRE ATT&CK Mapping

Tactics: Defense Evasion

Techniques:
  • T1562.001 — Disable or Modify Tools — Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properl...