Find_deleted_accounts_and_by_whom

Hunt Hypothesis

Deleted accounts may indicate compromised credentials or insider threats, as adversaries often delete accounts to cover their tracks or remove access after lateral movement. SOC teams should proactively hunt for deleted accounts in Azure Sentinel to identify potential unauthorized access or exfiltration activities.

KQL Query

IdentityDirectoryEvents
| where ActionType == "Account deleted"
| extend parsed=parse_json(AdditionalFields)
| extend ACTOR_ENTITY_USER = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"])
| extend ACTOR_ENTITY_USER = iff( isnull(ACTOR_ENTITY_USER), AdditionalFields.["ACTOR.ENTITY_USER"], ACTOR_ENTITY_USER)
| project Timestamp, ActionType, TargetAccountUpn, AccountName, ACTOR_ENTITY_USER, AdditionalFields

Analytic Rule Definition

id: e5b0ee9b-7fa4-4641-8363-bd2d72f1bf5b
name: Find_deleted_accounts_and_by_whom
description: |
  Find accounts that have been deleted and by whom
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
- IdentityDirectoryEvents
tactics:
- Credential Access
query: |
 IdentityDirectoryEvents
 | where ActionType == "Account deleted"
 | extend parsed=parse_json(AdditionalFields)
 | extend ACTOR_ENTITY_USER = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"])
 | extend ACTOR_ENTITY_USER = iff( isnull(ACTOR_ENTITY_USER), AdditionalFields.["ACTOR.ENTITY_USER"], ACTOR_ENTITY_USER)
 | project Timestamp, ActionType, TargetAccountUpn, AccountName, ACTOR_ENTITY_USER, AdditionalFields
version: 1.0.0
metadata:
    source:
        kind: Community
    author:
        name: Matt Novitsch
    support:
        tier: Community
    categories:
        domains: [ "Security - Identity" ]

Required Data Sources

MITRE ATT&CK Context

• Tactic: Credential Access

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Discovery/MDI_Find_deleted_accounts_and_by_whom.yaml)

False Positive Guidance

• Scenario: A system administrator deletes a test account after completing a test environment setup.
  Filter/Exclusion: user_name NOT IN ('admin', 'test_admin') or account_type = 'test'

• Scenario: A scheduled job runs to clean up old user accounts during routine maintenance.
  Filter/Exclusion: job_name = 'user_cleanup_job' or source_system = 'scheduled_task'

• Scenario: An IT support technician deletes a user account that was previously disabled and no longer needed.
  Filter/Exclusion: user_status = 'disabled' or account_creation_date < 90_days_ago

• Scenario: A user account is deleted via the Azure AD portal as part of a bulk deletion process.
  Filter/Exclusion: tool_used = 'Azure_AD_portal' or deletion_method = 'bulk_delete'

• Scenario: A developer deletes their own account temporarily to troubleshoot an application issue.
  Filter/Exclusion: user_role = 'developer' or deletion_reason = 'temporary'