Microsoft.Insights/activityLogAlerts/delete
Azure
Microsoft.Insights/activityLogAlerts/delete
Event
Deletes an activity log alert rule, disabling security detection and notification capabilities.
Security Context
- Activity log alerts trigger notifications when specific operations occur in the Azure subscription; deleting them blinds the security team to critical events like role assignments, resource deletions, or policy changes.
- Adversaries delete alert rules to prevent automated detection and notification of their subsequent actions, ensuring that security teams are not alerted during the attack.
Log Source
Azure Activity Log
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud deletes the alert-rg-cannotdelete-removed activity log alert that fires when management locks are deleted on the production resource group. Removing the alert rule kills near-real-time notification of the lock removal Draco performed earlier — buying him more time before security responds. Maps to T1685.
{ "authorization": { "action": "Microsoft.Insights/activityLogAlerts/delete", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Insights/activityLogAlerts/alert-rg-cannotdelete-removed" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/", "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud" }, "correlationId": "90000000-0000-4000-8000-000011011000", "description": "", "eventDataId": "90000000-0000-4000-8000-000011011001", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T20:24:42.7172938Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Insights/activityLogAlerts/alert-rg-cannotdelete-removed/events/90000000-0000-4000-8000-000011011001/ticks/638798202827172938", "level": "Informational", "operationId": "90000000-0000-4000-8000-000011011010", "operationName": { "value": "Microsoft.Insights/activityLogAlerts/delete", "localizedValue": "Delete Activity Log Alert" }, "resourceGroupName": "rg-fantasticlogs-prod", "resourceProviderName": { "value": "Microsoft.Insights", "localizedValue": "Microsoft Insights" }, "resourceType": { "value": "Microsoft.Insights/activityLogAlerts", "localizedValue": "Microsoft.Insights/activityLogAlerts" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Insights/activityLogAlerts/alert-rg-cannotdelete-removed", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" }, "submissionTimestamp": "2026-04-15T20:24:43.0218732Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "OK", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Insights/activityLogAlerts/alert-rg-cannotdelete-removed", "message": "Microsoft.Insights/activityLogAlerts/delete", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001" }, "relatedEvents": [], "httpRequest": { "clientRequestId": "90000000-0000-4000-8000-000011011011", "clientIpAddress": "203.0.113.66", "method": "DELETE", "url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Insights/activityLogAlerts/alert-rg-cannotdelete-removed?api-version=2020-10-01" }, "identity": null}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...