Query Details
RULE 07 Resource Lock Policy Deleted
Query
// Rule : Azure - Resource Lock or Policy Assignment Deleted
// Severity: Medium
// Tactics : DefenseEvasion
// MITRE : T1562
// Freq : PT1H Period: PT2H
//==========================================================================================
let HighImpactOps = dynamic([
"MICROSOFT.AUTHORIZATION/LOCKS/DELETE",
"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/DELETE",
"MICROSOFT.AUTHORIZATION/POLICYDEFINITIONS/DELETE",
"MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS/WRITE",
"MICROSOFT.AUTHORIZATION/POLICYSETDEFINITIONS/DELETE",
"MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/SUBSCRIPTIONS/DELETE"
]);
let ExcludedPatterns = dynamic(["terraform", "bicep", "pipeline", "arm-", "policy-compliance"]);
AzureActivity
| where TimeGenerated > ago(2h)
| where OperationNameValue has_any (HighImpactOps)
| where ActivityStatusValue =~ "Success"
| where not(tolower(Caller) has_any (ExcludedPatterns))
| where isnotempty(CallerIpAddress)
| where CallerIpAddress !startswith "168.63."
| summarize
OperationCount = count(),
Operations = make_set(OperationNameValue, 10),
AffectedResources = make_set(ResourceId, 10),
SourceIPs = make_set(CallerIpAddress, 5),
CallerIP = any(CallerIpAddress),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Caller, SubscriptionId, ResourceGroup
| extend
AccountName = tostring(split(Caller, "@")[0]),
AccountUPNSuffix = tostring(split(Caller, "@")[1])Explanation
This query is designed to monitor and detect potentially suspicious activities related to the deletion of resource locks or policy assignments in Azure, which could indicate attempts to evade security measures. Here's a simplified breakdown of what the query does:
-
Define High-Impact Operations: It specifies a list of operations that are considered high-impact, such as deleting locks, policy assignments, policy definitions, and management group subscriptions.
-
Exclude Certain Patterns: It excludes operations initiated by certain tools or processes (like Terraform, Bicep, pipelines, etc.) that are typically legitimate and expected.
-
Filter Azure Activity Logs: The query looks at Azure activity logs from the past 2 hours to find successful operations that match the high-impact operations list.
-
Exclude Specific IP Addresses: It filters out operations from IP addresses starting with "168.63." and ensures that the caller's IP address is not empty.
-
Summarize Results: For each unique caller, subscription, and resource group, it summarizes the data by counting the number of operations, listing the types of operations, affected resources, and source IPs. It also records the first and last time the operations were seen.
-
Extract Account Information: Finally, it extracts and displays the account name and domain from the caller's email address.
Overall, this query helps identify unauthorized or unexpected deletions of critical security configurations in Azure, which could be a sign of defense evasion tactics.
Details
David Alonso
Released: March 12, 2026
Tables
Keywords
Operators