Azure Diagnostic settings removed from a resource

AzureActivity
| where OperationNameValue =~ "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE"
| summarize
    TimeGenerated = arg_max(TimeGenerated, Properties),
    ActivityStatusValue = make_set(ActivityStatusValue, 5),
    take_any(Caller, CallerIpAddress, OperationName, ResourceGroup, Resource)
    by CorrelationId, _ResourceId, OperationNameValue
| extend ResourceHierarchy = split(_ResourceId, "/")
| extend MonitoredResourcePath = strcat_array(array_slice(ResourceHierarchy, 0, array_length(ResourceHierarchy)-5), "/")
| join kind=leftanti (
    AzureActivity
    | where OperationNameValue !~ "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and OperationNameValue endswith "/DELETE" and ActivityStatusValue has_any ("Success", "Succeeded")
    | project _ResourceId
) on $left.MonitoredResourcePath == $right._ResourceId
| extend
    Name = iif(Caller has "@", tostring(split(Caller, "@")[0]), ""),
    UPNSuffix = iif(Caller has "@", tostring(split(Caller, "@")[1]), ""),
    AadUserId = iif(Caller has "@", "", Caller)
| project TimeGenerated, Caller, CallerIpAddress, OperationNameValue, OperationName, ActivityStatusValue, ResourceGroup, MonitoredResourcePath, Resource, Properties, Name, UPNSuffix, AadUserId, _ResourceId, CorrelationId

description: |
  'This query looks for diagnostic settings that are removed from a resource.
  This could indicate an attacker or malicious internal trying to evade detection before malicious act is performed.
  If the diagnostic settings are being deleted as part of a parent resource deletion, the event is ignores.'  
kind: Scheduled
tactics:
- DefenseEvasion
requiredDataConnectors:
- connectorId: AzureActivity
  dataTypes:
  - AzureActivity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/AzDiagSettingsDeleted.yaml
severity: Medium
name: Azure Diagnostic settings removed from a resource
metadata:
  support:
    tier: Community
  author:
    name: KennethMLdk
  categories:
    domains:
    - Security - Others
    - Platform
  source:
    kind: Community
triggerThreshold: 0
queryPeriod: 2h
query: |
  AzureActivity
  | where OperationNameValue =~ "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE"
  | summarize
      TimeGenerated = arg_max(TimeGenerated, Properties),
      ActivityStatusValue = make_set(ActivityStatusValue, 5),
      take_any(Caller, CallerIpAddress, OperationName, ResourceGroup, Resource)
      by CorrelationId, _ResourceId, OperationNameValue
  | extend ResourceHierarchy = split(_ResourceId, "/")
  | extend MonitoredResourcePath = strcat_array(array_slice(ResourceHierarchy, 0, array_length(ResourceHierarchy)-5), "/")
  | join kind=leftanti (
      AzureActivity
      | where OperationNameValue !~ "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and OperationNameValue endswith "/DELETE" and ActivityStatusValue has_any ("Success", "Succeeded")
      | project _ResourceId
  ) on $left.MonitoredResourcePath == $right._ResourceId
  | extend
      Name = iif(Caller has "@", tostring(split(Caller, "@")[0]), ""),
      UPNSuffix = iif(Caller has "@", tostring(split(Caller, "@")[1]), ""),
      AadUserId = iif(Caller has "@", "", Caller)
  | project TimeGenerated, Caller, CallerIpAddress, OperationNameValue, OperationName, ActivityStatusValue, ResourceGroup, MonitoredResourcePath, Resource, Properties, Name, UPNSuffix, AadUserId, _ResourceId, CorrelationId  
relevantTechniques:
- T1562.008
id: 6e95aef3-a1e0-4063-8e74-cd59aa59f245
queryFrequency: 1h
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Caller
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: Account
  fieldMappings:
  - columnName: AadUserId
    identifier: AadUserId
- entityType: IP
  fieldMappings:
  - columnName: CallerIpAddress
    identifier: Address
triggerOperator: gt
version: 1.0.3