Microsoft.KeyVault/vaults/delete
Azure
Microsoft.KeyVault/vaults/delete
Event
Permanently deletes an Azure Key Vault; without soft-delete, all secrets, keys, and certificates are unrecoverable.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Destructive deletion of cloud resources can cause significant operational disruption, data loss, and extended recovery times.
Log Source
Azure Activity Log
Sample Event
Adversarial. As an impact action after exfiltrating the secrets/certs, draco@fantasticlogs.cloud deletes the entire kv-bowtruckle-prod Key Vault. With soft-delete enabled (the default), the vault enters the soft-deleted state and can be recovered for the retention period (typically 90 days), but immediate operational impact is total — every secret, key, and certificate is unavailable to legitimate consumers.
{ "authorization": { "action": "Microsoft.KeyVault/vaults/delete", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/", "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "puid": "1003200000000666", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814", "uti": "kvDel203ExampleUtid01", "ver": "1.0" }, "correlationId": "90000000-0000-4000-8000-000100000100", "description": "", "eventDataId": "90000000-0000-4000-8000-000100000101", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T18:11:09.2418857Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod/events/90000000-0000-4000-8000-000100000101/ticks/638798239892418857", "level": "Informational", "operationId": "90000000-0000-4000-8000-000100000110", "operationName": { "value": "Microsoft.KeyVault/vaults/delete", "localizedValue": "Delete Key Vault" }, "resourceGroupName": "rg-bowtruckle-vault", "resourceProviderName": { "value": "Microsoft.KeyVault", "localizedValue": "Microsoft.KeyVault" }, "resourceType": { "value": "Microsoft.KeyVault/vaults", "localizedValue": "Microsoft.KeyVault/vaults" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" }, "submissionTimestamp": "2026-04-15T18:11:09.7771204Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "OK", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-bowtruckle-vault/providers/Microsoft.KeyVault/vaults/kv-bowtruckle-prod", "message": "Microsoft.KeyVault/vaults/delete", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001" }, "relatedEvents": []}MITRE ATT&CK Mapping
Tactics: Impact Defense Impairment
Techniques:
- T1485 — Data Destruction — Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and r...
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...