This alert detects when more than 5 Resource Group were deleted under 5 minutes. As resource groups are created and deleted as part of the different resource creation (VM's, storage etc.) this alert will be linked to other deletion operations, it is advised to check adjacent logs to see what was additionally deleted. Impact An attacker can delete Resource Groups to harm the company. Users can also inadvertently delete needed groups that will harm standard operation of the network, therefore each deletion operation should be verified. Mitigation Validate the groups that were deleted and that the actions were authorized and intended. Check the user who initiated the actions and verify he was authorized to perform the said actions. As Resource groups are aggregators of different resources, this alert can be a precursor to many other suspicious deletion operations, so thoroughly investigate adjacent logs and resources. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert detects when a Resource Group policy was deleted. A resource group policy can affect all resources under it, including blocking or allowing certain actions. Impact An attacker can delete policies to harm the company. Users can also inadvertently delete policies, therefore each operation should be verified. Mitigation Validate what policy was deleted and that the action was authorized and intended. Give special attention to any bulk assignment operations. As Resource groups are aggregators of different resources, this policy deletion can affect multiple resources under it, so investigate thoroughly adjacent logs and resources and what exactly was the policy that was deleted. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert detects when a Resource Group policy was assigned. A resource group policy can affect all resources under it, including blocking or allowing certain actions. Impact An attacker can add or modify policies to harm the company or users can inadvertently assign restrictive or permissive policies, therefore each operation should be verified. Mitigation Validate the policy that was assigned and that the action was authorized and intended. Give special attention to any bulk assignment operations. As Resource groups are aggregators of different resources, this policy can affect multiple resources under it, so investigate thoroughly adjacent logs and resources and what exactly the policy has changed. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert detects when a Resource Group was deleted. As resource groups tends to be created and deleted as part of the different resource creation (VM's, storage etc.) this alert will be linked to other deletion operations, so check adjacent logs to see what was additionality deleted. Impact An attacker can delete Resource Groups to harm the company or users can inadvertently delete needed groups that will harm standard operation of the network, therefore each deletion operation should be verified. Mitigation Validate the group that was deleted and that the action was authorized and intended. Give special attention to any bulk deletion operations. As Resource groups are aggregators of different resources, this alert can be a precursor to many other suspicious deletion operations, so thoroughly investigate adjacent logs and resources. MITRE Tactic: TA0005 MITRE Technique: T1578

This rule detects if there are no logs in the last 12 hours for Azure Resource Groups in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

This use case involves an unauthorized user attempting to perform actions within a resource group, specifically gaining insights or making changes without proper permissions. The audit log should capture activities such as unauthorized access, modifications, or data retrieval within the resource group. Impact Unauthorized resource group insight actions can lead to sensitive information exposure, data corruption, or service disruptions. This could compromise the confidentiality, integrity, and availability of resources within the affected group. Mitigation Role-Based Access Control (RBAC): Implement RBAC policies to ensure that only authorized users have the necessary permissions to access and make changes within the resource group. Regular Audits and Reviews: Conduct regular audits of RBAC policies and user access to ensure that permissions are aligned with the principle of least privilege. Regularly review and update access controls based on organizational changes. Multi-Factor Authentication (MFA): Enforce the use of MFA to add an extra layer of security, reducing the risk of unauthorized access even in the event of compromised credentials. MITRE Tactic: TA0005 MITRE Technique: T1578