LoFP LoFP / storage administrators may legitimately enable public access for specific business requirements such as hosting public content or cdn integration. verify that the configuration change was expected and follows organizational policies. consider exceptions for approved storage accounts.

Techniques

Sample rules

Azure Storage Account Blob Public Access Enabled

Description

Identifies when Azure Storage Account Blob public access is enabled, allowing external access to blob containers. This technique was observed in cloud ransom-based campaigns where threat actors modified storage accounts to expose non-remotely accessible accounts to the internet for data exfiltration. Adversaries abuse the Microsoft.Storage/storageAccounts/write operation to modify public access settings.

Detection logic

event.dataset: "azure.activitylogs" and
event.action: "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE" and
event.outcome: "success" and
azure.activitylogs.properties.responseBody: *\"allowBlobPublicAccess\"\:true*