Azure Suspect Public Storage Account Change
Detection overview
Triggers
- An entity was observed enabling public access to a given Storage Account.
Possible Root Causes
- Unauthorized Modification: An attacker may be scanning and modifying storage account configurations to enable data exfiltration.
- IT Misconfiguration: An authorized administrator may have unintentionally altered security settings, weakening the storage account's security posture and increasing the risk of data loss.
- Legitimate Administrative Action: An administrator or automated task is making authorized modifications to access controls on a storage account.
Business Impact
- Malicious or unintentional weakening of security controls around storage accounts can lead to data loss.
Steps to Verify
- Investigate the Initiating Account: Review the account or entity that made the change for other signs of malicious activity.
- Check for Data Loss: Investigate whether any unauthorized data access or exfiltration has occurred.
- Validate Public Access: Determine if the storage account in question is authorized for public access based on security policies.
- If Malicious Actions or High-Risk Configurations Are Suspected:
- Revert the configuration to restrict public access.
- Disable credentials associated with the alert to prevent further unauthorized modifications.
- Conduct a comprehensive investigation to determine the extent of potential exposure and assess the scope of impacted resources.
Azure Suspect Public Storage Account Change
Possible root causes
Malicious Detection
Benign Detection
Azure Suspect Public Storage Account Change
Example scenarios
Azure Suspect Public Storage Account Change
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Suspect Public Storage Account Change
Steps to investigate
Azure Suspect Public Storage Account Change
MITRE ATT&CK techniques covered
Azure Suspect Public Storage Account Change
Related detections
No items found.