Azure Event Hub Deletion for Defense Evasion
Detection of Azure Event Hub deletion, indicative of defense evasion by adversaries seeking to disrupt data flow and evade detection by erasing log evidence.
This alert identifies the deletion of an Azure Event Hub, a critical event processing service for ingesting and processing large volumes of data in real-time. Attackers may target Event Hubs for deletion in an attempt to evade detection by erasing evidence of their activities or to disrupt data flow. The rule focuses on identifying successful deletion operations within Azure activity logs, specifically looking for the "MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" event. The monitoring of Event Hub deletion is crucial because successful deletion can lead to data loss, service disruption, and an increased dwell time for attackers due to the removal of forensic data.
Attack Chain
- An attacker gains unauthorized access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.
- The attacker escalates privileges within the Azure environment to obtain the necessary permissions to manage Event Hubs.
- The attacker identifies Event Hubs within the target environment that contain valuable log data.
- The attacker initiates a deletion request for a specific Event Hub using the Azure portal, CLI, or API.
- Azure processes the deletion request, logging the event with the operation name "MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE".
- The Event Hub is successfully deleted, resulting in the removal of associated log data and potentially disrupting data streams.
- The attacker attempts to cover their tracks by deleting or modifying other related logs within the Azure environment.
Impact
Successful deletion of Azure Event Hubs can lead to a significant loss of log data, hindering incident response and forensic investigations. This can allow attackers to operate undetected for longer periods, increasing the potential for further damage. Service disruption can also occur if the deleted Event Hub was critical for real-time data processing. While the exact number of victims is unknown, organizations relying on Azure Event Hubs for security monitoring and data analytics are at risk.
Recommendation
- Deploy the Sigma rule to detect Event Hub deletions (see
rulessection) in your SIEM, and tune for your environment. - Review Azure RBAC permissions to ensure only authorized personnel have Event Hub deletion rights.
- Enable multi-factor authentication (MFA) for all Azure accounts to prevent unauthorized access (reference: https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about).
- Implement additional monitoring and alerting for Azure Event Hub operations to detect and respond to unauthorized activities promptly.
Detection coverage 2
Azure Event Hub Deleted
mediumDetects the deletion of an Event Hub in Azure Activity Logs.
Azure Event Hub Namespace Deletion
mediumDetects the deletion of an Event Hub Namespace in Azure Activity Logs which may contain multiple event hubs.
Detection queries are available on the platform. Get full rules →