Azure Datadog Log Forwarder Deleted

azure

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Set up the azure integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.

Strategy

Monitor Azure logs where @evt.name is "MICROSOFT.WEB/SITES/DELETE", @evt.outcome is Success, and the @resourceID contains DATADOG and LOG. This rule does not work if the the Azure resource group or Azure function does not contain DATADOG or LOG.

Triage and response

  1. Verify the Azure function (@resourceId) is responsible for forwarding logs to Datadog.
  2. Determine if there is a legitimate reason for deleting the Azure function.
  3. If activity is not expected, investigate activity from the service principal (@identity.authorization.evidence) or user ({{@usr.id}}).
PREVIEWING: rtrieu/product-analytics-ui-changes