Skip to content
TheCloud.Events

Microsoft.Security/autoProvisioningSettings/write

CSP: Azure
Tactics:
Defense Evasion
Techniques:
T1562.001
Tags:
Azure Microsoft Defender for Cloud

Event

Modifies auto-provisioning settings, potentially disabling automatic deployment of security monitoring agents.

Security Context

  • Auto-provisioning automatically installs security monitoring agents on new and existing resources; disabling it creates a blind spot where new workloads deploy without security monitoring.
  • Adversaries disable auto-provisioning to ensure that newly created resources used in their attack are not instrumented with monitoring agents that would detect malicious activity.

Log Source

Azure Activity Log

Sample Event

MITRE ATT&CK Mapping

Tactics: Defense Evasion

Techniques:
  • T1562.001 — Disable or Modify Tools — Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properl...