Azure Storage Account Blob Public Access Enabled

Last updated 15 days ago on 2025-09-22

Created 15 days ago on 2025-09-22

About

Identifies when Azure Storage Account Blob public access is enabled, allowing external access to blob containers. This technique was observed in cloud ransom-based campaigns where threat actors modified storage accounts to expose non-remotely accessible accounts to the internet for data exfiltration. Adversaries abuse the Microsoft.Storage/storageAccounts/write operation to modify public access settings.

Tags

Domain: CloudDomain: StorageData Source: AzureData Source: Azure Activity LogsUse Case: Threat DetectionTactic: CollectionLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Collection (TA0009)(opens in a new tab or window)

↳ Data from Cloud Storage (T1530)(opens in a new tab or window)

False Positive Examples

Storage administrators may legitimately enable public access for specific business requirements such as hosting public content or CDN integration. Verify that the configuration change was expected and follows organizational policies. Consider exceptions for approved storage accounts.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.activitylogs-*
Related Integrations: azure(opens in a new tab or window)
Query

event.dataset: "azure.activitylogs" and
event.action: "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE" and
event.outcome: "success" and
azure.activitylogs.properties.responseBody: *\"allowBlobPublicAccess\"\:true*

Install detection rules in Elastic Security

Detect Azure Storage Account Blob Public Access Enabled in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).