Azure Storage Blob Retrieval via AzCopy

Last updated 17 days ago on 2025-10-02

Created 17 days ago on 2025-10-02

About

Identifies successful GetBlob operations on Azure Storage Accounts using AzCopy user agent with SAS token authentication. AzCopy is a command-line utility for copying data to and from Azure Storage. While legitimate for data migration, adversaries may abuse AzCopy with compromised SAS tokens to exfiltrate data from Azure Storage Accounts. This rule detects the first occurrence of GetBlob operations from a specific storage account using this pattern.

Tags

Domain: CloudDomain: StorageData Source: AzureData Source: Azure Platform LogsData Source: Azure StorageUse Case: Threat DetectionTactic: ExfiltrationLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Exfiltration (TA0010)(opens in a new tab or window)

↳ Exfiltration Over Web Service (T1567)(opens in a new tab or window)

False Positive Examples

Legitimate data migration or backup operations using AzCopy with SAS tokens may trigger this rule.Automated scripts or processes that use AzCopy for routine data transfers from Azure Storage Accounts.DevOps or IT teams performing authorized data transfers or downloads from Azure Storage using AzCopy.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.platformlogs-*
Related Integrations: azure(opens in a new tab or window)
Query

event.dataset: azure.platformlogs and
    event.action: GetBlob and
    azure.platformlogs.identity.type: SAS and
    azure.platformlogs.properties.userAgentHeader: AzCopy* and
    azure.platformlogs.statusCode: 200

Install detection rules in Elastic Security

Detect Azure Storage Blob Retrieval via AzCopy in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).