Skip to content

Microsoft.Storage/storageAccounts/delete

Azure

Microsoft.Storage/storageAccounts/delete

service: Azure - Azure Storage
techniques:

Event

Permanently deletes an Azure Storage account and all of its data.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Destructive deletion of cloud resources can cause significant operational disruption, data loss, and extended recovery times.

Log Source

Azure Activity Log

Sample Event

Adversarial. After deleting the customer container, draco@fantasticlogs.cloud deletes the entire production storage account flcoccamy001, eliminating any other containers (logs, exports, configs) that lived alongside customers. Storage account deletion is permanent — there is no soft-delete at the account level (only at the container/blob level).

{
"authorization": {
"action": "Microsoft.Storage/storageAccounts/delete",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "saDel223ExampleUtid01",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100010001",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100010100",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T18:54:08.7421101Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001/events/90000000-0000-4000-8000-000100010100/ticks/638798266487421101",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100110111",
"operationName": {
"value": "Microsoft.Storage/storageAccounts/delete",
"localizedValue": "Delete Storage Account"
},
"resourceGroupName": "rg-occamy-pipeline",
"resourceProviderName": {
"value": "Microsoft.Storage",
"localizedValue": "Microsoft.Storage"
},
"resourceType": {
"value": "Microsoft.Storage/storageAccounts",
"localizedValue": "Microsoft.Storage/storageAccounts"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T18:54:09.3211002Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001",
"message": "Microsoft.Storage/storageAccounts/delete",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Impact Defense Impairment

Techniques:
  • T1485 — Data Destruction — Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and r...
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...