Skip to content

Microsoft.Insights/activityLogAlerts/delete

Azure

Microsoft.Insights/activityLogAlerts/delete

service: Azure - Monitor
techniques:

Event

Deletes an activity log alert rule, disabling security detection and notification capabilities.

Security Context

  • Activity log alerts trigger notifications when specific operations occur in the Azure subscription; deleting them blinds the security team to critical events like role assignments, resource deletions, or policy changes.
  • Adversaries delete alert rules to prevent automated detection and notification of their subsequent actions, ensuring that security teams are not alerted during the attack.

Log Source

Azure Activity Log

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud deletes the alert-rg-cannotdelete-removed activity log alert that fires when management locks are deleted on the production resource group. Removing the alert rule kills near-real-time notification of the lock removal Draco performed earlier — buying him more time before security responds. Maps to T1685.

{
"authorization": {
"action": "Microsoft.Insights/activityLogAlerts/delete",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Insights/activityLogAlerts/alert-rg-cannotdelete-removed"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/",
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud"
},
"correlationId": "90000000-0000-4000-8000-000011011000",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000011011001",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T20:24:42.7172938Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Insights/activityLogAlerts/alert-rg-cannotdelete-removed/events/90000000-0000-4000-8000-000011011001/ticks/638798202827172938",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000011011010",
"operationName": {
"value": "Microsoft.Insights/activityLogAlerts/delete",
"localizedValue": "Delete Activity Log Alert"
},
"resourceGroupName": "rg-fantasticlogs-prod",
"resourceProviderName": {
"value": "Microsoft.Insights",
"localizedValue": "Microsoft Insights"
},
"resourceType": {
"value": "Microsoft.Insights/activityLogAlerts",
"localizedValue": "Microsoft.Insights/activityLogAlerts"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Insights/activityLogAlerts/alert-rg-cannotdelete-removed",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T20:24:43.0218732Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Insights/activityLogAlerts/alert-rg-cannotdelete-removed",
"message": "Microsoft.Insights/activityLogAlerts/delete",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": [],
"httpRequest": {
"clientRequestId": "90000000-0000-4000-8000-000011011011",
"clientIpAddress": "203.0.113.66",
"method": "DELETE",
"url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Insights/activityLogAlerts/alert-rg-cannotdelete-removed?api-version=2020-10-01"
},
"identity": null
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...