Azure Storage Account Blob Public Access Enabled

  1[metadata]
  2creation_date = "2025/09/22"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/09/22"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when Azure Storage Account Blob public access is enabled, allowing external access to blob containers. This
 11technique was observed in cloud ransom-based campaigns where threat actors modified storage accounts to expose
 12non-remotely accessible accounts to the internet for data exfiltration. Adversaries abuse the
 13Microsoft.Storage/storageAccounts/write operation to modify public access settings.
 14"""
 15false_positives = [
 16    """
 17    Storage administrators may legitimately enable public access for specific business requirements such as hosting
 18    public content or CDN integration. Verify that the configuration change was expected and follows organizational
 19    policies. Consider exceptions for approved storage accounts.
 20    """,
 21]
 22from = "now-9m"
 23index = ["logs-azure.activitylogs-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "Azure Storage Account Blob Public Access Enabled"
 27note = """## Triage and analysis
 28
 29### Investigating Azure Storage Account Blob Public Access Enabled
 30
 31Azure Storage Accounts provide cloud storage solutions with various access control mechanisms. The public access setting, when enabled, allows anonymous internet access to blob containers, bypassing authentication requirements. Adversaries exploit this feature to expose sensitive data for exfiltration or to establish persistent external access. This detection monitors for successful modifications that enable public blob access, a technique notably used in STORM-0501 cloud ransom-based campaigns.
 32
 33### Possible investigation steps
 34
 35- Review the Azure activity logs to identify the user or service principal that initiated the storage account modification by examining the principal ID, UPN and user agent fields.
 36- Check the specific storage account name in `azure.resource.name` to understand which storage resources were affected and assess the sensitivity of data stored there.
 37- Investigate the timing of the event to correlate with any other suspicious activities, such as unusual login patterns or privilege escalation attempts.
 38- Examine the request or response body details to understand the full scope of changes made to the storage account configuration beyond public access settings.
 39- Review access logs for the affected storage account to identify any subsequent data access or exfiltration attempts following the public access enablement.
 40- Verify if the storage account modification aligns with approved change requests or maintenance windows in your organization.
 41- Check for other storage accounts modified by the same principal to identify potential lateral movement or widespread configuration changes.
 42- Pivot into related activity for the storage account and/or container such as data deletion, encryption or further permission changes.
 43
 44### False positive analysis
 45
 46- Legitimate CDN integration or public website hosting may require enabling public blob access. Document approved storage accounts used for public content delivery and create exceptions for these specific resources.
 47- DevOps automation tools might temporarily enable public access during deployment processes. Identify service principals used by CI/CD pipelines and consider time-based exceptions during deployment windows.
 48- Testing and development environments may have different access requirements. Consider filtering out non-production storage accounts if public access is acceptable in those environments.
 49- Migration activities might require temporary public access. Coordinate with infrastructure teams to understand planned migrations and create temporary exceptions with defined expiration dates.
 50
 51### Response and remediation
 52
 53- Immediately disable public blob access on the affected storage account using Azure Portal IaC, or Azure CLI command.
 54- Audit all blob containers within the affected storage account to identify which data may have been exposed and assess the potential impact of the exposure.
 55- Review Azure Activity Logs and storage access logs to determine if any data was accessed or exfiltrated while public access was enabled.
 56- Rotate any credentials, keys, or sensitive data that may have been stored in the exposed blob containers.
 57- If unauthorized modification is confirmed, disable the compromised user account or service principal and investigate how the credentials were obtained.
 58- Implement Azure Policy to prevent enabling public blob access on storage accounts containing sensitive data, using built-in policy definitions for storage account public access restrictions.
 59- Consider implementing private endpoints for storage accounts that should never be publicly accessible, ensuring network-level isolation.
 60"""
 61references = [
 62    "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/",
 63    "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure",
 64]
 65risk_score = 47
 66rule_id = "4c5a4e8b-3f2d-4a6e-9b5c-7d8f9e0a1b2c"
 67severity = "medium"
 68tags = [
 69    "Domain: Cloud",
 70    "Domain: Storage",
 71    "Data Source: Azure",
 72    "Data Source: Azure Activity Logs",
 73    "Use Case: Threat Detection",
 74    "Tactic: Collection",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "new_terms"
 79
 80query = '''
 81event.dataset: "azure.activitylogs" and
 82event.action: "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE" and
 83event.outcome: "success" and
 84azure.activitylogs.properties.responseBody: *\"allowBlobPublicAccess\"\:true*
 85'''
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1530"
 92name = "Data from Cloud Storage"
 93reference = "https://attack.mitre.org/techniques/T1530/"
 94
 95
 96[rule.threat.tactic]
 97id = "TA0009"
 98name = "Collection"
 99reference = "https://attack.mitre.org/tactics/TA0009/"
100
101[rule.new_terms]
102field = "new_terms_fields"
103value = ["azure.resource.name"]
104[[rule.new_terms.history_window_start]]
105field = "history_window_start"
106value = "now-7d"