T1578.003 Delete Cloud Instance Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1578.003 — Delete Cloud Instance
// Detects VM/instance deletion events across Azure and AWS in Microsoft Sentinel
let AzureDeleteOps = dynamic([
    "Microsoft.Compute/virtualMachines/delete",
    "Microsoft.Compute/virtualMachineScaleSets/delete",
    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete",
    "Microsoft.ClassicCompute/virtualMachines/delete",
    "Microsoft.ContainerService/managedClusters/delete"
]);
// Azure Activity Log — VM deletions
let AzureVMDeletes = AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue in~ (AzureDeleteOps)
| where ActivityStatusValue in~ ("Success", "Accepted", "Succeeded", "Started")
| extend CloudProvider = "Azure"
| extend CallerIdentity = Caller
| extend OperationType = OperationNameValue
| extend ResourceName = Resource
| extend AccountType = iif(CallerIdentity has "@", "UserAccount", "ServicePrincipal")
| project TimeGenerated, CloudProvider, CallerIdentity, AccountType, OperationType,
          ResourceName, ResourceGroup, SubscriptionId, ResourceId,
          ActivityStatusValue, Properties, HTTPRequest;
// AWS CloudTrail — Instance terminations
let AWSInstanceTerminations = AWSCloudTrail
| where TimeGenerated > ago(24h)
| where EventName in ("TerminateInstances", "DeleteInstance", "DeregisterInstance")
| where isempty(ErrorCode)
| extend CloudProvider = "AWS"
| extend CallerIdentity = UserIdentityArn
| extend AccountType = UserIdentityType
| extend OperationType = EventName
| extend ResourceName = tostring(RequestParameters)
| project TimeGenerated, CloudProvider, CallerIdentity, AccountType, OperationType,
          ResourceName, SourceIpAddress, AWSRegion, UserIdentityAccountId,
          UserIdentityType, SessionCreationDate, AdditionalEventData;
// Union both cloud providers
AzureVMDeletes
| union AWSInstanceTerminations
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Cloud: Cloud Service Cloud: Instance Deletion Azure Activity Logs AWS CloudTrail

Required Tables

AzureActivity AWSCloudTrail

False Positives

Auto-scaling scale-in events where the cloud platform terminates instances to reduce capacity based on policy
Infrastructure as Code (Terraform, Pulumi, CloudFormation) teardown operations during legitimate environment decommissioning
DevOps CI/CD pipeline cleanup jobs that destroy ephemeral test or staging environments after pipeline completion
Cloud cost optimization scripts (AWS Instance Scheduler, Azure DevTest Labs auto-shutdown) deleting idle instances on schedule
Spot instance / preemptible VM reclamation by the cloud provider (appears as TerminateInstances from platform service roles)

Splunk

spl

| tstats summariesonly=false allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime
    from datamodel=Cloud_Infrastructure where
    (Cloud_Infrastructure.action=deleted OR Cloud_Infrastructure.action=terminate OR Cloud_Infrastructure.action=deregister)
    AND Cloud_Infrastructure.object_category=instance
    by Cloud_Infrastructure.user, Cloud_Infrastructure.src, Cloud_Infrastructure.object, Cloud_Infrastructure.action, Cloud_Infrastructure.vendor_account, Cloud_Infrastructure.region
| rename Cloud_Infrastructure.* as *
| eval DeleteType="generic"
| append
    [ search index=aws sourcetype=aws:cloudtrail EventName IN ("TerminateInstances","DeleteInstance","DeregisterInstance") errorCode=""
      | eval CloudProvider="AWS"
      | eval CallerIdentity=coalesce(userIdentity.arn, userIdentity.userName, "unknown")
      | eval AccountType=userIdentity.type
      | eval TargetInstances=mvindex(split(tostring(requestParameters.instancesSet.items), ","), 0, 10)
      | eval InstanceCount=mvcount(split(tostring(requestParameters.instancesSet.items), ","))
      | eval DeleteType=if(InstanceCount > 5, "BulkDelete", "SingleDelete")
      | eval SuspicionScore=0
      | eval SuspicionScore=SuspicionScore + if(InstanceCount > 10, 3, if(InstanceCount > 3, 1, 0))
      | eval SuspicionScore=SuspicionScore + if(AccountType="Root", 3, 0)
      | eval SuspicionScore=SuspicionScore + if(match(sourceIPAddress, "^(3\..*|52\..*|54\..*)$") AND AccountType!="AWSService", 1, 0)
      | table _time, CloudProvider, CallerIdentity, AccountType, EventName, awsRegion, sourceIPAddress, TargetInstances, InstanceCount, DeleteType, SuspicionScore, recipientAccountId
    ]
| append
    [ search index=azure sourcetype=azure:monitor:activity operationName="Microsoft.Compute/virtualMachines/delete" OR operationName="Microsoft.Compute/virtualMachineScaleSets/delete" status.value="Succeeded"
      | eval CloudProvider="Azure"
      | eval CallerIdentity=coalesce(caller, "unknown")
      | eval AccountType=if(match(CallerIdentity, "@"), "UserAccount", "ServicePrincipal")
      | eval ResourceName=coalesce(resourceId, "unknown")
      | eval SuspicionScore=0
      | eval SuspicionScore=SuspicionScore + if(AccountType="UserAccount" AND match(operationName, "delete"), 2, 0)
      | eval SuspicionScore=SuspicionScore + if(match(ResourceName, "(?i)(prod|production|critical|primary)"), 2, 0)
      | table _time, CloudProvider, CallerIdentity, AccountType, operationName, subscriptionId, resourceGroupName, ResourceName, SuspicionScore
    ]
| where SuspicionScore >= 1 OR InstanceCount > 3 OR DeleteType="BulkDelete"
| sort - _time

high severity medium confidence

Data Sources

Cloud: Cloud Service Cloud: Instance Deletion AWS CloudTrail Azure Monitor Activity Logs

Required Sourcetypes

aws:cloudtrail azure:monitor:activity

False Positives

Auto-scaling scale-in events where the cloud platform terminates instances to reduce capacity based on policy
Infrastructure as Code (Terraform, Pulumi, CloudFormation) teardown operations during legitimate environment decommissioning
DevOps CI/CD pipeline cleanup jobs that destroy ephemeral test or staging environments after pipeline completion
Cloud cost optimization scripts (AWS Instance Scheduler, Azure DevTest Labs auto-shutdown) deleting idle instances on schedule
Spot instance / preemptible VM reclamation by the cloud provider (appears as TerminateInstances from platform service roles)

Elastic Security (EQL)

eql

any where event.dataset == "azure.activitylogs"
  and event.action : ("Microsoft.Compute/snapshots/write", "Microsoft.Compute/virtualMachines/write",
                      "Microsoft.Compute/virtualMachines/delete", "Microsoft.Compute/disks/write")
  and not user.name : ("azure-backup-service", "azure-site-recovery")

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

logs-azure.activitylogs.* logs-aws.cloudtrail.*

False Positives

Authorized cloud administrators performing routine snapshot operations
Automated backup solutions creating scheduled snapshots via service accounts
Disaster recovery testing that involves creating and sharing snapshots across accounts
DevOps pipelines that create instance images as part of CI/CD workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  username, "Operation" AS CloudOperation,
  "ResourceType" AS CloudResource,
  "ResourceGroup", "SubscriptionId",
  CASE
    WHEN "Operation" ILIKE '%delete%' OR "Operation" ILIKE '%destroy%' THEN 90
    WHEN "Operation" ILIKE '%snapshot%' AND "ResultType" = 'Success' THEN 70
    WHEN "Operation" ILIKE '%create%instance%' THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Operation" ILIKE '%delete%' THEN 'Cloud Resource Deletion'
    WHEN "Operation" ILIKE '%snapshot%' THEN 'Snapshot Operation'
    WHEN "Operation" ILIKE '%create%' THEN 'Cloud Resource Creation'
    ELSE 'Cloud Modification'
  END AS AlertType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%azure%' OR LOGSOURCETYPENAME(devicetype) ILIKE '%cloudtrail%'
  AND ("Operation" ILIKE '%compute%' OR "Operation" ILIKE '%instance%' OR "Operation" ILIKE '%snapshot%' OR "Operation" ILIKE '%virtualMachine%')
  AND username NOT ILIKE '%azure%automation%'
  AND username NOT ILIKE '%backup%service%'
ORDER BY RiskScore DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

events

False Positives

Authorized cloud administrators performing snapshot and backup operations
Automated DR solutions creating scheduled cloud instance snapshots
DevOps pipelines creating and deleting instances as part of CI/CD
Authorized infrastructure scaling or migration events

Sumo Logic CSE

sql

_sourceCategory=*azure*activitylog* OR _sourceCategory=*aws*cloudtrail*
| json auto
| where matches(operationName, "(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)")
| eval RiskLevel = if(matches(operationName, "(?i)(delete|destroy|terminate)"), "High",
    if(matches(operationName, "(?i)(snapshot|create)"), "Medium", "Low"))
| where RiskLevel in ("High","Medium")
| eval AlertType = if(matches(operationName, "(?i)delete"), "Cloud Resource Deletion",
    if(matches(operationName, "(?i)snapshot"), "Snapshot Operation",
    if(matches(operationName, "(?i)create"), "Resource Creation", "Cloud Modification")))
| where caller != "azure-backup" and !matches(caller, "(?i)automation")
| stats count AS OpCount, values(operationName) AS Operations, values(RiskLevel) AS RiskLevels by _sourceHost, caller, resourceGroup
| sort by OpCount desc

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

_sourceCategory=*azure* _sourceCategory=*aws*cloudtrail*

False Positives

Cloud administrators creating authorized snapshots for backup or migration
Automated disaster recovery systems creating scheduled cloud snapshots
DevOps pipelines creating and deleting compute instances as part of CI/CD
Authorized cloud infrastructure migrations between regions or accounts

Google Chronicle / SecOps

yaral

rule T1578_003_cloud_infra_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects suspicious cloud infrastructure modifications"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1578.003"
    reference = "https://attack.mitre.org/techniques/T1578/003/"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    re.regex($e.metadata.product_event_type, `(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)`)
    not re.regex($e.principal.user.email_addresses, `(?i)(backup|automation|serviceaccount)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Cloud audit logs (Azure/AWS)

Required Tables

USER_RESOURCE_ACCESS

False Positives

Authorized cloud administrators performing scheduled backup snapshot creation
Automated disaster recovery solutions creating routine cloud instance snapshots
DevOps CI/CD pipelines creating and deleting compute instances during deployments
Authorized cloud migration projects moving instances between regions

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "CloudResourceModification"
| OperationName = /(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify|revert)/
| ActorUserName != /(?i)(backup|automation|serviceaccount|scheduler)/
| groupBy([aid, ActorUserName, OperationName, ResourceType, ResourceName], function=[count(as=OpCount), min(timestamp, as=FirstSeen)])
| case {
    OperationName = /(?i)(delete|destroy|terminate)/ => RiskScore := "High";
    OperationName = /(?i)(snapshot|create)/ => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ActorUserName, OperationName, ResourceType, ResourceName, OpCount, RiskScore, FirstSeen])
| sort(RiskScore)

high severity medium confidence

Data Sources

CrowdStrike Falcon Horizon (Cloud Security) Cloud audit logs

Required Tables

CloudResourceModification

False Positives

Authorized cloud administrators performing routine snapshot and backup operations
Automated DR and backup solutions creating scheduled cloud instance snapshots
DevOps CI/CD pipelines that create and destroy cloud instances during deployments
Authorized cloud migration projects moving or replicating compute instances

Delete Cloud Instance

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections