Azure Suspect Public Storage Account Change

Azure Suspect Public Storage Account Change

Detection overview

Triggers

  • An entity was observed enabling public access to a given Storage Account.

Possible Root Causes

  • Unauthorized Modification: An attacker may be scanning and modifying storage account configurations to enable data exfiltration.
  • IT Misconfiguration: An authorized administrator may have unintentionally altered security settings, weakening the storage account's security posture and increasing the risk of data loss.
  • Legitimate Administrative Action: An administrator or automated task is making authorized modifications to access controls on a storage account.

Business Impact

  • Malicious or unintentional weakening of security controls around storage accounts can lead to data loss.

Steps to Verify

  • Investigate the Initiating Account: Review the account or entity that made the change for other signs of malicious activity.
  • Check for Data Loss: Investigate whether any unauthorized data access or exfiltration has occurred.
  • Validate Public Access: Determine if the storage account in question is authorized for public access based on security policies.
  • If Malicious Actions or High-Risk Configurations Are Suspected:
    • Revert the configuration to restrict public access.
    • Disable credentials associated with the alert to prevent further unauthorized modifications.
    • Conduct a comprehensive investigation to determine the extent of potential exposure and assess the scope of impacted resources.
Azure Suspect Public Storage Account Change

Possible root causes

Malicious Detection

Benign Detection

Azure Suspect Public Storage Account Change

Example scenarios

Azure Suspect Public Storage Account Change

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspect Public Storage Account Change

Steps to investigate

Azure Suspect Public Storage Account Change

MITRE ATT&CK techniques covered

Azure Suspect Public Storage Account Change

Related detections

No items found.

FAQs