access level modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. access level modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1190
t1526
azure
elastic

Techniques

T1190
T1526

Sample rules

Azure Blob Container Access Level Modification

source: elastic
technicques:
- T1190
- T1526

Description

Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.

Detection logic

event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success)