Detection rules › Panther
Azure Storage Blob Soft Delete Disabled
Detects when Azure storage account blob soft delete is disabled. Disabling soft delete removes protection against accidental deletion and may indicate preparation for data destruction.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1485 Data Destruction, T1490 Inhibit System Recovery |
Rule body yaml
AnalysisType: rule
Filename: azure_storage_blob_soft_delete_disabled.py
RuleID: "Azure.MonitorActivity.StorageAccount.BlobSoftDeleteDisabled"
DisplayName: "Azure Storage Blob Soft Delete Disabled"
Enabled: true
LogTypes:
- Azure.MonitorActivity
Severity: High
Description: >
Detects when Azure storage account blob soft delete is disabled.
Disabling soft delete removes protection against accidental deletion and may indicate preparation for data destruction.
Reports:
MITRE ATT&CK:
- TA0040:T1485 # Impact: Data Destruction
- TA0040:T1490 # Impact: Inhibit System Recovery
Tags:
- Impact
- Data Destruction
- Inhibit System Recovery
- Ransomware
Runbook: |
1. Query Azure Monitor Activity logs for all storage account blob service operations by the callerIpAddress in the 6 hours before and after this alert to identify patterns
2. Check if the source IP is associated with known cloud providers, VPN services, or corporate network ranges using threat intelligence
3. Search for other Azure storage account configuration changes or blob deletion events from the same user or IP in the past 7 days to assess if this is part of a data destruction campaign
Reference: https://azure.github.io/azure-storage-java/com/microsoft/azure/storage/DeleteRetentionPolicy.html
SummaryAttributes:
- resourceId
- callerIpAddress
- correlationId
Tests:
- Name: Soft Delete Disabled
ExpectedResult: true
Log:
{
"time": "2024-12-17T10:30:00.0000000Z",
"resourceId": "/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount/blobServices/default",
"operationName": "Microsoft.Storage/storageAccounts/blobServices/write",
"operationVersion": "2021-04-01",
"category": "Administrative",
"resultType": "Success",
"callerIpAddress": "1.1.1.1",
"location": "eastus",
"correlationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"properties": {
"requestbody": "{\"properties\":{\"deleteRetentionPolicy\":{\"enabled\":false}}}"
},
"tenantId": "87654321-4321-4321-4321-111111111111"
}
- Name: Soft Delete Enabled
ExpectedResult: false
Log:
{
"time": "2024-12-17T12:00:00.0000000Z",
"resourceId": "/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/securestorageaccount/blobServices/default",
"operationName": "Microsoft.Storage/storageAccounts/blobServices/write",
"operationVersion": "2021-04-01",
"category": "Administrative",
"resultType": "Success",
"callerIpAddress": "203.0.113.50",
"location": "eastus",
"correlationId": "c3d4e5f6-a7b8-9012-cdef-123456789012",
"properties": {
"requestbody": "{\"properties\":{\"deleteRetentionPolicy\":{\"enabled\":true,\"days\":7}}}"
},
"tenantId": "87654321-4321-4321-4321-210987654321"
}
Detection logic
Condition
operationName eq "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/WRITE"
resultType in ["Success", "Succeeded"]
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
operationName | eq |
|
resultType | in |
|