惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Microsoft Security Blog
Microsoft Security Blog
S
Secure Thoughts
酷 壳 – CoolShell
酷 壳 – CoolShell
S
SegmentFault 最新的问题
WordPress大学
WordPress大学
Hugging Face - Blog
Hugging Face - Blog
人人都是产品经理
人人都是产品经理
美团技术团队
博客园 - 三生石上(FineUI控件)
Jina AI
Jina AI
V
Visual Studio Blog
腾讯CDC
小众软件
小众软件
有赞技术团队
有赞技术团队
博客园 - 聂微东
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
IT之家
IT之家
C
CERT Recently Published Vulnerability Notes
大猫的无限游戏
大猫的无限游戏
T
Threat Research - Cisco Blogs
SecWiki News
SecWiki News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
宝玉的分享
宝玉的分享
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The Hacker News
The Hacker News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Troy Hunt's Blog
月光博客
月光博客
雷峰网
雷峰网
T
Tor Project blog
I
Intezer
S
Securelist
罗磊的独立博客
The Register - Security
The Register - Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
NISL@THU
NISL@THU
Google Online Security Blog
Google Online Security Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Cisco Talos Blog
Cisco Talos Blog
云风的 BLOG
云风的 BLOG
www.infosecurity-magazine.com
www.infosecurity-magazine.com
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
Lohrmann on Cybersecurity
The Cloudflare Blog
Attack and Defense Labs
Attack and Defense Labs
P
Privacy International News Feed
W
WeLiveSecurity
Forbes - Security
Forbes - Security
量子位
Last Week in AI
Last Week in AI

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Vectra AI
Zoey Chu · 2026-06-06 · via Vectra AI Blog

This blog explains how Microsoft's shift from the legacy Azure Diagnostics Agent to the Azure Monitor Agent fundamentally changes how VM logging is controlled and highlights how this redesign can introduce detection blind spots if security teams don't update their monitoring approach.

Following this change, a single, low-visibility API action can silently disrupt logging across multiple systems, increasing the risk of missed or misattributed security events.

We explain what changed and how to adapt.

We reported this behavior to Microsoft, who acknowledged it and are implementing changes to improve visibility, including additional VM-level logging for DCR association removal. These changes are expected to roll out by April 21. We will update this post as more details become available.

Shift from VM Extensions to DCR-based Logging

On March 31st 2026, Microsoft retired the legacy Azure Diagnostics Agent (WAD/LAD) and replaced it with the Azure Monitor Agent (AMA), shifting VM logging from VM-level extensions to centralized Data Collection Rules (DCRs) and DCR associations.

This change moves control of logging into the control plane, fundamentally altering how logging changes and disruptions appear in Azure Activity Logs.

Impact on IT and SecOps

Previously, logging changes were tied to VM extension activity. A common signal for logging-related changes was:

Microsoft.Compute/virtualMachines/extensions/write

With AMA, logging is controlled through DCRs, meaning it can be modified or removed via control-plane operations such as:

  • Microsoft.Insights/dataCollectionRuleAssociations/write
  • Microsoft.Insights/dataCollectionRuleAssociations/delete
  • Microsoft.Insights/dataCollectionRules/write
  • Microsoft.Insights/dataCollectionRules/delete

In testing, removing a DCR or its association stops logging immediately. However, the expected VM extension signal is delayed by 2-2.5 hours and attributed to a Microsoft-managed identity as opposed to an actionable actor.

This introduces two risks: delayed detection and loss of attribution, breaking assumptions in existing detections.

What Happens in Practice

We tested this behavior using Azure VMs with AMA installed and creating a DCR associated with multiple VMs. Key differences were observed between Portal and API behavior:

  • The Azure Portal prevents deleting a DCR with active associations.
  • The API allows deleting a DCR and all associations in a single call (deleteAssociations=true).

From a logging perspective:

  • Logging stops immediately across all affected VMs.
  • Only a single Microsoft.Insights/dataCollectionRules/delete event was observed.
  • No individual association delete events are logged.

This means a single API call can disable logging across multiple VMs while generating minimal telemetry.

Detection Gaps Introduced

These behaviors create detection gaps:

  • Portal and API actions generate different telemetry.
  • A single API call can remove logging with minimal visibility.
  • VM extension signals are delayed and cannot be attributed making them less reliable indicators.

As a result, detections relying on extension activity only may completely miss or misinterpret logging disruption.

What to Monitor Going Forward

At a minimum, defenders should expand coverage for:

  • Microsoft.Insights/dataCollectionRuleAssociations/delete (resource-level logging disruption)
  • Microsoft.Insights/dataCollectionRules/delete (multi-resource impact via single action)
  • Microsoft.Insights/dataCollectionRules/write (configuration tampering)

The Need for Resilient Coverage

This shift underscores the need for detections that remain effective despite changes in the threat landscape and the attack surface.

At Vectra AI, we updated detection coverage to prioritize DCR and DCR association events over VM extension activity before this change took effect ensuring visibility into logging disruption and actionable attribution of related defense evasion activities.

By continuously monitoring both attacker behaviors and platform changes attackers we proactively adapt our coverage ensuring customers receive up-to-date, robust and reliable coverage even as underlying telemetry and control mechanisms change.

Microsoft Communication and Follow-up

Microsoft communicated this change through a Service Health advisory tied to the retirement of the Azure Diagnostics Agent and the migration to AMA before March 31, 2026.

Microsoft announced this change through a Service Health advisory as part of the AMA migration ahead of the March 31, 2026 retirement deadline. We opened a ticket with Microsoft regarding the observed behavior and the security implications observed in testing. This was accepted by Microsoft and is being investigated with updates expected April 21st. We will update this post as guidance evolves.

Bottom Line

This is not just an agent migration. It changes where logging is controlled and how disruption occurs. Teams relying on Azure Activity Logs for detect tampering should update coverage promptly to ensure defense evasion behaviors are not missed.