Elastic Security Detection Rules

Azure Storage Account Keys Accessed by Privileged User

Last updated 7 days ago on 2025-09-23
Created 7 days ago on 2025-09-23

About

Identifies unusual high-privileged access to Azure Storage Account keys by users with Owner, Contributor, or Storage Account Contributor roles. This technique was observed in STORM-0501 ransomware campaigns where compromised identities with high-privilege Azure RBAC roles retrieved access keys to perform unauthorized operations on Storage Accounts. Microsoft recommends using Shared Access Signature (SAS) models instead of direct key access for improved security. This rule detects when a user principal with high-privilege roles accesses storage keys for the first time in 7 days.
Tags
Domain: CloudDomain: IdentityUse Case: Threat DetectionData Source: AzureData Source: Azure Activity LogsTactic: Credential AccessLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

Credentials from Password Stores (T1555)(opens in a new tab or window)

Initial Access (TA0001)(opens in a new tab or window)

Valid Accounts (T1078)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.activitylogs-*
Related Integrations

azure(opens in a new tab or window)

Query
event.dataset: "azure.activitylogs" and
azure.activitylogs.operation_name: "MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION" and
azure.activitylogs.identity.authorization.evidence.principal_type: "User" and
azure.activitylogs.identity.authorization.evidence.role: (
    "Owner" or
    "Contributor" or
    "Storage Account Contributor" or
    "User Access Administrator"
) and event.outcome: "success"

Install detection rules in Elastic Security

Detect Azure Storage Account Keys Accessed by Privileged User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).