Azure Suspicious Disk Download
Detection overview
Triggers
- An identity created a Shared Access Signature (SAS) URL link to gain access to an Azure resource.
Possible Root Causes
- Unauthorized Access: An attacker may be using SAS URLs to exfiltrate data.
- Legitimate Use: An authorized user is using SAS URLs to access a resource for legitimate purposes, such as starting a new project, backing up data, or accessing files for their job function.
Business Impact
- Exfiltration of sensitive business data is often the final stage of a security compromise.
- Loss of control over company secrets and intellectual property due to unauthorized data exposure.
Steps to Verify
- Investigate the Identity: Review the account that created and used the SAS URL for signs of malicious activity, which may indicate account compromise.
- Check for Data Loss: Assess the details and contents of the accessed resources to determine potential exposure risks.
- If Malicious Actions Are Suspected:
- Disable the credentials associated with this alert to prevent further unauthorized access.
- Perform a comprehensive investigation to assess the scope of compromise and data loss.
Azure Suspicious Disk Download
Possible root causes
Malicious Detection
Benign Detection
Azure Suspicious Disk Download
Example scenarios
Azure Suspicious Disk Download
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Azure Suspicious Disk Download
Steps to investigate
Azure Suspicious Disk Download
MITRE ATT&CK techniques covered
Azure Suspicious Disk Download
Related detections
No items found.