Azure Suspicious Disk Download

Azure Suspicious Disk Download

Detection overview

Triggers

  • An identity created a Shared Access Signature (SAS) URL link to gain access to an Azure resource.

Possible Root Causes

  • Unauthorized Access: An attacker may be using SAS URLs to exfiltrate data.
  • Legitimate Use: An authorized user is using SAS URLs to access a resource for legitimate purposes, such as starting a new project, backing up data, or accessing files for their job function.

Business Impact

  • Exfiltration of sensitive business data is often the final stage of a security compromise.
  • Loss of control over company secrets and intellectual property due to unauthorized data exposure.

Steps to Verify

  • Investigate the Identity: Review the account that created and used the SAS URL for signs of malicious activity, which may indicate account compromise.
  • Check for Data Loss: Assess the details and contents of the accessed resources to determine potential exposure risks.
  • If Malicious Actions Are Suspected:
    • Disable the credentials associated with this alert to prevent further unauthorized access.
    • Perform a comprehensive investigation to assess the scope of compromise and data loss.
Azure Suspicious Disk Download

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious Disk Download

Example scenarios

Azure Suspicious Disk Download

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious Disk Download

Steps to investigate

Azure Suspicious Disk Download

Related detections

No items found.

FAQs