The removal of a cloud-based or on-premise block storage volume. This action permanently deletes the allocated storage and may result in data loss if not backed up.
Data Collection Measures:
eventName: DeleteVolume (tracks volume deletions)operationName: Microsoft.Compute/disks/deletestatus: Success | Failure (flag unauthorized delete attempts)protoPayload.methodName: "v1.compute.disks.delete"authenticationInfo.principalEmail (identifies the user deleting the volume)/var/log/syslog or /var/log/messages for volume detach/deletion actions| Name | Channel |
|---|---|
| AWS:CloudTrail | DeleteVolume, ModifyVolume |
| esxi:vmkernel | file delete|datastore purge |