Query Details
RULE 16 Sentinel Analytics Rule Deleted
Query
// Rule : Azure Sentinel - Analytics Rule Deleted or Disabled
// Severity: High
// Tactics : DefenseEvasion
// MITRE : T1562
// Freq : PT1H Period: PT2H
//==========================================================================================
let KnownIaCPatterns = dynamic(["terraform", "bicep", "pipeline", "github", "pulumi", "devops"]);
// Alert rule DELETE = removal; WRITE can cover status change to disabled — both are suspicious
let SentinelRuleOps = dynamic([
"MICROSOFT.SECURITYINSIGHTS/ALERTRULES/DELETE",
"MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE"
]);
AzureActivity
| where TimeGenerated > ago(2h)
| where OperationNameValue has_any (SentinelRuleOps)
| where ActivityStatusValue =~ "Success"
| where not(tolower(Caller) has_any (KnownIaCPatterns))
| where isnotempty(CallerIpAddress)
| where CallerIpAddress !startswith "168.63." and CallerIpAddress !startswith "169.254."
// Separate deletions from modifications to differentiate severity in the alert
| extend OperationType = iff(OperationNameValue has "DELETE", "Delete", "Modify/Disable")
| summarize
OperationCount = count(),
DeleteCount = countif(OperationType == "Delete"),
ModifyCount = countif(OperationType == "Modify/Disable"),
AffectedRules = make_set(ResourceId, 20),
Operations = make_set(OperationNameValue, 5),
AffectedWorkspaces = make_set(ResourceGroup, 5),
SourceIPs = make_set(CallerIpAddress, 5),
CallerIP = any(CallerIpAddress),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Caller, SubscriptionId
| where DeleteCount >= 1 or ModifyCount >= 3 // any delete or 3+ modifications
| extend
AccountName = tostring(split(Caller, "@")[0]),
AccountUPNSuffix = tostring(split(Caller, "@")[1])
Explanation
This query is designed to detect suspicious activities related to the deletion or disabling of Azure Sentinel analytics rules, which could indicate attempts at defense evasion. Here's a simplified breakdown of what the query does:
-
Define Patterns and Operations:
- It sets up a list of known infrastructure-as-code (IaC) patterns and suspicious operations related to alert rules (deletion or modification).
-
Filter Azure Activity Logs:
- It looks at Azure activity logs from the last 2 hours.
- It filters for operations that involve deleting or modifying alert rules and ensures these operations were successful.
- It excludes operations initiated by known IaC patterns and certain internal IP addresses.
-
Classify Operations:
- It distinguishes between "Delete" operations and "Modify/Disable" operations to assess the severity of the activity.
-
Summarize Data:
- It counts the total number of operations, specifically the number of deletions and modifications.
- It collects information about affected rules, operations, workspaces, source IPs, and the time range of the activities.
- It groups this data by the user (Caller) and subscription ID.
-
Identify Suspicious Activity:
- It flags any user who has either deleted at least one rule or modified/disabled three or more rules.
-
Extract User Information:
- It extracts and separates the account name and domain from the user's email address for further analysis.
Overall, this query helps identify potentially unauthorized or suspicious changes to Azure Sentinel analytics rules, which could be indicative of an attempt to evade detection.
Details
David Alonso
Released: March 12, 2026
Tables
AzureActivity
Keywords
AzureSentinelAnalyticsRuleDefenseEvasionMITREAzureActivityOperationNameValueActivityStatusValueCallerIPAddressResourceIDResourceGroupSubscriptionIDAccountNameAccountUPNSuffix
Operators
letdynamicagohas_any=~tolowerisnotempty!startswithextendiffsummarizecountcountifmake_setanyminmaxbytostringsplit