Skip to content

Microsoft.Network/networkWatchers/flowLogs/delete

Azure

Microsoft.Network/networkWatchers/flowLogs/delete

service: Azure - Network Watcher
techniques:

Event

Deletes an NSG flow log configuration, stopping the capture of network traffic metadata for a network security group.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Modifications to logging and monitoring infrastructure can create blind spots that allow adversary activity to go undetected.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud deletes the NSG flow log configuration nsg-flow-log-prod from the regional Network Watcher, stopping the capture of 5-tuple flow records to the security storage account. This blinds defenders to subsequent inbound/outbound traffic on the NSGs that previously had flow logs enabled.

{
"authorization": {
"action": "Microsoft.Network/networkWatchers/flowLogs/delete",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus/flowLogs/nsg-flow-log-prod"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "fldDel208ExampleUtid01",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100010101",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100010110",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T18:35:48.7421005Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus/flowLogs/nsg-flow-log-prod/events/90000000-0000-4000-8000-000100010110/ticks/638798255487421005",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100010111",
"operationName": {
"value": "Microsoft.Network/networkWatchers/flowLogs/delete",
"localizedValue": "Delete Flow Log"
},
"resourceGroupName": "NetworkWatcherRG",
"resourceProviderName": {
"value": "Microsoft.Network",
"localizedValue": "Microsoft.Network"
},
"resourceType": {
"value": "Microsoft.Network/networkWatchers/flowLogs",
"localizedValue": "Microsoft.Network/networkWatchers/flowLogs"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus/flowLogs/nsg-flow-log-prod",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T18:35:49.3107218Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus/flowLogs/nsg-flow-log-prod",
"message": "Microsoft.Network/networkWatchers/flowLogs/delete",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...