Elastic Security Detection Rules

Azure Storage Blob Retrieval via AzCopy

Last updated 4 months ago on 2025-10-02
Created 4 months ago on 2025-10-02

About

Identifies successful GetBlob operations on Azure Storage Accounts using AzCopy user agent with SAS token authentication. AzCopy is a command-line utility for copying data to and from Azure Storage. While legitimate for data migration, adversaries may abuse AzCopy with compromised SAS tokens to exfiltrate data from Azure Storage Accounts. This rule detects the first occurrence of GetBlob operations from a specific storage account using this pattern.
Tags
Domain: CloudDomain: StorageData Source: AzureData Source: Azure Platform LogsData Source: Azure StorageUse Case: Threat DetectionTactic: ExfiltrationLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Exfiltration (TA0010)(external, opens in a new tab or window)

Exfiltration Over Web Service (T1567)(external, opens in a new tab or window)

False Positive Examples
Legitimate data migration or backup operations using AzCopy with SAS tokens may trigger this rule.Automated scripts or processes that use AzCopy for routine data transfers from Azure Storage Accounts.DevOps or IT teams performing authorized data transfers or downloads from Azure Storage using AzCopy.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.platformlogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
event.dataset: azure.platformlogs and
    event.action: GetBlob and
    azure.platformlogs.identity.type: SAS and
    azure.platformlogs.properties.userAgentHeader: AzCopy* and
    azure.platformlogs.statusCode: 200

Install detection rules in Elastic Security

Detect Azure Storage Blob Retrieval via AzCopy in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).