Detect CoreBackUp Deletion Activity from related Security Alerts

Status: available
Severity: medium
Time window: 1d
Group by: AlertName
Source: github.com/Azure/Azure-Sentinel

'The query identifies any efforts by an attacker to delete backup containers, while also searching for any security alerts that may be linked to the same activity, in order to uncover additional information about the attacker's actions.' Though such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.'

MITRE ATT&CK coverage

Tactic	Techniques
Impact	`T1496` Resource Hijacking

Rule body kusto

id: 011c84d8-85f0-4370-b864-24c13455aa94
name: Detect CoreBackUp Deletion Activity from related Security Alerts
description: |
  'The query identifies any efforts by an attacker to delete backup containers, while also searching for any security alerts that may be linked to the same activity, in order to uncover additional information about the attacker's actions.' 
  Though such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.'
severity: Medium
status: Available
requiredDataConnectors:
  - connectorId: AzureSecurityCenter
    dataTypes:
      - SecurityAlert
  - connectorId: MicrosoftDefenderForCloudTenantBased
    dataTypes:
      - SecurityAlert
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Impact
relevantTechniques:
  - T1496
query: |
  SecurityAlert
  | extend Extprop = parse_json(ExtendedProperties)
  | mv-expand todynamic(Entities)
  | extend HostName = iff(isnotempty(tostring(Extprop["Compromised Host"])), tolower(tostring(Extprop["Compromised Host"])), tolower(tostring(parse_json(Entities).HostName)))
  | where isnotempty(HostName)
  | mv-expand todynamic(split(HostName, ','))
  | extend DnsDomain = iff(isnotempty(tostring(Extprop["Machine Domain"])), tostring(Extprop["Machine Domain"]), tostring(parse_json(Entities).DnsDomain))
  | extend UserName = iff(isnotempty(tostring(Extprop["User Name"])), tostring(Extprop["User Name"]), iff(tostring(parse_json(Entities).Type) == 'account', tostring(parse_json(Entities).Name), ''))
  | extend NTDomain = iff(isnotempty(tostring(Extprop["User Domain"])), tostring(Extprop["User Domain"]), tostring(parse_json(Entities).NTDomain))
  | extend IpAddress = iff(tostring(parse_json(Entities).Type) == 'ip', tostring(parse_json(Entities).Address), tostring(parse_json(Extprop).["IpAddress"]))
  | summarize timestamp = arg_max(TimeGenerated, *) by AlertName, tostring(HostName)
  | project timestamp, AlertName, UserName, NTDomain, tostring(HostName), DnsDomain, IpAddress
  | join kind=inner
  (
  CoreAzureBackup
  | where State =~ "Deleted"
  | where OperationName =~ "BackupItem"
  | extend data = split(BackupItemUniqueId, ";")
  | extend AzureLocation = data[0], VaultId=data[1], HostName=tolower(tostring(data[2])), DrivesBackedUp=data[3]
  | project timestamp = TimeGenerated, AzureLocation, VaultId, HostName, DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName
  )
  on HostName
  | project timestamp, AlertName, HostName, DnsDomain, UserName, NTDomain, _ResourceId, IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: UserName
      - identifier: NTDomain
        columnName: NTDomain
  - entityType: AzureResource
    fieldMappings:
      - identifier: ResourceId
        columnName: _ResourceId
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: HostName
      - identifier: DnsDomain
        columnName: DnsDomain
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IpAddress
version: 1.0.2
kind: Scheduled

Stages and Predicates

Stage 1: `source`

SecurityAlert

Stage 2: `extend`

| extend Extprop = parse_json(ExtendedProperties)

Stage 3: `mv-expand`

| mv-expand todynamic(Entities)

Stage 4: `extend`

| extend HostName = iff(isnotempty(tostring(Extprop["Compromised Host"])), tolower(tostring(Extprop["Compromised Host"])), tolower(tostring(parse_json(Entities).HostName)))

HostName =

if/* macro: isnotempty(tostring(Extprop["Compromised Host"])) */tolower(tostring(Extprop["Compromised Host"]))

elsetolower(tostring(parse_json(Entities).HostName))

Stage 5: `where`

| where isnotempty(HostName)

Stage 6: `mv-expand`

| mv-expand todynamic(split(HostName, ','))

Stage 7: `extend` (4 consecutive steps)

| extend DnsDomain = iff(isnotempty(tostring(Extprop["Machine Domain"])), tostring(Extprop["Machine Domain"]), tostring(parse_json(Entities).DnsDomain))
| extend UserName = iff(isnotempty(tostring(Extprop["User Name"])), tostring(Extprop["User Name"]), iff(tostring(parse_json(Entities).Type) == 'account', tostring(parse_json(Entities).Name), ''))
| extend NTDomain = iff(isnotempty(tostring(Extprop["User Domain"])), tostring(Extprop["User Domain"]), tostring(parse_json(Entities).NTDomain))
| extend IpAddress = iff(tostring(parse_json(Entities).Type) == 'ip', tostring(parse_json(Entities).Address), tostring(parse_json(Extprop).["IpAddress"]))

DnsDomain =

if/* macro: isnotempty(tostring(Extprop["Machine Domain"])) */tostring(Extprop["Machine Domain"])

elsetostring(parse_json(Entities).DnsDomain)

Stage 8: `summarize`

| summarize timestamp = arg_max(TimeGenerated, *) by AlertName, tostring(HostName)

Stage 9: `project`

| project timestamp, AlertName, UserName, NTDomain, tostring(HostName), DnsDomain, IpAddress

Stage 10: `join`

| join kind=inner
(
CoreAzureBackup
| where State =~ "Deleted"
| where OperationName =~ "BackupItem"
| extend data = split(BackupItemUniqueId, ";")
| extend AzureLocation = data[0], VaultId=data[1], HostName=tolower(tostring(data[2])), DrivesBackedUp=data[3]
| project timestamp = TimeGenerated, AzureLocation, VaultId, HostName, DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName
)
on HostName

Stage 11: `project`

| project timestamp, AlertName, HostName, DnsDomain, UserName, NTDomain, _ResourceId, IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`HostName`	is_not_null	(no value, null check)
`OperationName`	eq	`BackupItem`
`State`	eq	`Deleted`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`AlertName`	`project`
`AzureLocation`	`project`
`BackupItemFriendlyName`	`project`
`BackupItemUniqueId`	`project`
`DnsDomain`	`project`
`DrivesBackedUp`	`project`
`HostName`	`project`
`IpAddress`	`project`
`NTDomain`	`project`
`OperationName`	`project`
`State`	`project`
`UserName`	`project`
`VaultId`	`project`
`_ResourceId`	`project`
`timestamp`	`project`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Detect CoreBackUp Deletion Activity from related Security Alerts

MITRE ATT&CK coverage

Rule body kusto

Stages and Predicates

Stage 1: `source`

Stage 2: `extend`

Stage 3: `mv-expand`

Stage 4: `extend`

Stage 5: `where`

Stage 6: `mv-expand`

Stage 7: `extend` (4 consecutive steps)

Stage 8: `summarize`

Stage 9: `project`

Stage 10: `join`

Stage 11: `project`

Indicators

Output fields

Keyboard shortcuts

Search operators

Detect CoreBackUp Deletion Activity from related Security Alerts

MITRE ATT&CK coverage

Rule body kusto

Stages and Predicates

Stage 1: source

Stage 2: extend

Stage 3: mv-expand

Stage 4: extend

Stage 5: where

Stage 6: mv-expand

Stage 7: extend (4 consecutive steps)

Stage 8: summarize

Stage 9: project

Stage 10: join

Stage 11: project

Indicators

Output fields

Stage 1: `source`

Stage 2: `extend`

Stage 3: `mv-expand`

Stage 4: `extend`

Stage 5: `where`

Stage 6: `mv-expand`

Stage 7: `extend` (4 consecutive steps)

Stage 8: `summarize`

Stage 9: `project`

Stage 10: `join`

Stage 11: `project`