Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-azure-activity-log-detections
Overview
3Dashboards
36Benchmarks
43Queries
1Variables
GitHub

Detection: Network VPN Connection Deleted

Overview

Detect when an Azure VPN connection was deleted. VPN connections are essential for secure communication between on-premises networks and Azure, and their deletion can disrupt connectivity and compromise operations. Monitoring these deletions ensures network stability and prevents unauthorized or accidental removal of critical connections.

References:

Usage

Run the detection in your terminal:

powerpipe detection run azure_activity_log_detections.detection.network_vpn_connection_deleted

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run azure_activity_log_detections.detection.network_vpn_connection_deleted --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
operation_name as operation,
resource_id as resource,
caller as actor,
tp_index::varchar as subscription_id,
resource_group_name as resource_group,
tp_id as source_id,
status as event_status,
*


from
  azure_activity_log
where
  operation_name = 'Microsoft.Network/vpnGateways/vpnConnections/delete'
  and status = 'Succeeded'


order by
  timestamp desc;

Tags

category = Detections
mitre_attack_ids = TA0040:T1485
plugin = azure
service = Azure/Network