Blinding the SOC: when Defender and Sentinel are switched off
An attacker turns off the lights first: Defender downgraded, Sentinel rules deleted, diagnostics cut. The disabling actions are the alert, because the Activity Log still records them.
A capable attacker turns off the lights before working. If the alerting pipeline is the thing being deleted, the question is what alert you have left. The answer is that the act of disabling is itself logged.
How the attack works
From Security Admin or Owner scope, the attacker downgrades Microsoft Defender for Cloud plans to Free with a Microsoft.Security/pricings/write, deletes Sentinel analytics rules and a data connector, and removes diagnostic settings that ship resource logs to the workspace. With telemetry severed, follow-on activity generates no alerts and leaves thin logs. The key signal is that these disabling actions are control-plane writes the Azure Activity Log captures even as the downstream pipeline goes dark, and the sudden gap in expected ingestion is itself an absence-of-data signal. A Sentinel incident spike will never come, because the rules are gone, so waiting for one is exactly what the attacker wants. You detect the blinding, not the thing it hid. In ATT&CK terms this is T1562, Impair Defenses, with T1070, Indicator Removal.
Why it works
Standing high privilege could change security controls in seconds, and those controls were not locked or gated. Nothing made turning off the monitoring hard or noisy.
How to fix it
Re-enabling monitoring alone invites an immediate re-disable, so do both: restore Defender plans, Sentinel rules, connectors, and diagnostic settings from version-controlled config, and revoke the role assignment holding the security-control write permissions. For the gap window, the surviving Activity Log is your authoritative record, since it persists independently of diagnostic settings; an immutable export of it survives tampering. Afterward, protect the protections with deny assignments or locks and PIM on security settings, alert on Defender pricing and diagnosticSettings changes, and keep Sentinel content as code.
Practice it
We built this as a GraphLattice Range scenario so security teams learn to detect the blinding itself and treat the visibility gap as material, not safe.