File Backup Deletion Alerts

Hunt Hypothesis

Adversaries may delete file backups to eliminate forensic evidence and disrupt recovery efforts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or ransomware activity early.

KQL Query

AlertInfo
| where Title == "File backups were deleted"
| join AlertEvidence on $left.AlertId == $right.AlertId

Analytic Rule Definition

id: 21444f27-9184-45bf-a335-7b7169a56790
name: File Backup Deletion Alerts
description: |
  This query checks alerts related to file backup deletion and enriches with additional alert evidence information
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - AlertInfo
  - AlertEvidence
tactics:
- Ransomware
query: |
  AlertInfo
  | where Title == "File backups were deleted"
  | join AlertEvidence on $left.AlertId == $right.AlertId

Required Data Sources

Sentinel Table	Notes
`AlertEvidence`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Ransomware

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/File Backup Deletion Alerts.yaml)

False Positive Guidance

Scenario: Scheduled Backup Cleanup Job
Description: A legitimate scheduled job (e.g., Veeam Backup & Replication, Commvault, or Veeam Backup for Microsoft 365) runs to delete old backup files as part of routine maintenance.
Filter/Exclusion: Check the process.name or command_line for known backup tools, or use a process.parent filter to identify jobs initiated by a backup service account.
Scenario: User-Initiated File Deletion for Space Management
Description: An admin or user deletes old backup files manually to free up storage space, which may trigger the rule if the deletion is not properly logged or categorized.
Filter/Exclusion: Use a user.name filter to exclude known admin users or check the file.path to exclude known backup directories (e.g., C:\Backup\, /var/backups/).
Scenario: Temporary File Cleanup by System Tools
Description: System maintenance tools like Windows Disk Cleanup, CCleaner, or rsync may delete temporary or obsolete backup files during routine system optimization.
Filter/Exclusion: Filter by process.name to exclude known cleanup tools or use a file.path filter to exclude temporary directories (e.g., C:\Windows\Temp\, /tmp/).
Scenario: Log File Rotation or Archiving
Description: Log management tools like Logrotate, Splunk, or ELK Stack may rotate or archive log files that are stored in a backup-like directory structure.
Filter/Exclusion: Use a file.path filter to exclude log directories (e.g., /var/log/, C:\ProgramData\LogFiles\) or check the process.name for log management tools.
**Scenario: False