IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Azure Blob Container Access Level Modification
editAzure Blob Container Access Level Modification
editIdentifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.
Rule type: query
Rule indices:
- filebeat-*
- logs-azure*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-25m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: Azure
- Use Case: Asset Visibility
- Tactic: Discovery
Version: 102
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editSetup
editThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Rule query
editevent.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Cloud Service Discovery
- ID: T1526
- Reference URL: https://attack.mitre.org/techniques/T1526/
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Exploit Public-Facing Application
- ID: T1190
- Reference URL: https://attack.mitre.org/techniques/T1190/