blob permissions may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

t1222
azure
elastic

Techniques

T1222

Sample rules

Azure Blob Permissions Modification

source: elastic
technicques:
- T1222

Description

Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target’s security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.

Detection logic

event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(
     "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION" or
     "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION") and
  event.outcome:(Success or success)