Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Azure Storage Accounts

Azure Storage Accounts
Azure Storage Accounts icon

Out-of-the-Box Security For Azure Storage Accounts Includes:

Alerts - 7

Stay on top of Azure Storage Accounts key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

A Blob Storage Was Allowed Public Access

This alert detects when a configuration of a storage account has allowed public access to it's blob storage. Blob storage are files storages, if not authorized, allowing public access to them might compromise internal network information. This alert indicate that the ability to expose a blob storage to the internet through ACLs has been enabled, not that a blob storage is currently exposed to the world. Impact Blob storage containers are the flat file storage entities of Azure. The enabling of public access to blob storage containers should be inspected and verified as they can expose company information to the world. It can also indicate an attacker activity to expose internal network resources to the world to harm or exfiltrate them. Mitigation Validate that the change was authorized and intended, revert and further investigate if not. Give special attention to multiple exposure events or systemic change as they can indicate malicious activity. MITRE Tactic: TA0001 MITRE Technique: T1190

A Storage Account Was Deleted

This alert detects when a Storage account was deleted. Impact Storage accounts are the main storage function of Azure. The deletion of a storage accounts should be inspected and verified as it could be an attacker trying to harm the system. Mitigation Validate that the deletion was authorized and intended, restore account and further investigate if not. Give special attention to multiple deletion events that can indicate malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578

A blob storage container was created, modified or restored

This alert detects when an blob storage container was created, modified or restored. Impact blob storage containers are the flat file storage entities of Azure. The creation or modification of blob storage containers should be inspected and verified as they can consume resources and incur charges. It can also indicate an attacker activity to get access to internal resources or harm the company system. Mitigation Validate that the change was authorized and intended, revert and further investigate if not. Give special attention to multiple creation or modification events or systemic change as they can indicate malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578

A Storage Account Key Was Regenerated

This alert detects when an storage account key was regenerated. Storage accounts keys are the main way to access Azure storage accounts. A regenerated key means that the access through the old keys was revoked and that new keys are needed in any service that needs access to that account. Note that rotating keys can also be a security preventive measure to block access if there is a suspicion that the old keys were compromised. Impact An attacker can regenerate keys to block access to a storage account and allow himself sole access to an account. The creation of new keys should be inspected and verified as legitimate as it could indicate malicious activity (intended or not). Mitigation Validate that the change was authorized and intended, as keys can also be rotated by mistake or without understanding the implication of regenerating them. Rotated keys cannot be reverted back to the old keys, remediation is mainly checking for any depended service and changing the keys to the new keys as necessary. Give special attention to multiple rotation events or systemic change of different accounts that can indicate malicious activity. MITRE Tactic: TA0006 MITRE Technique: T1528

A Storage Account Was Created, Modified or Restored

This alert detects when an Storage account was created, modified or restored. Impact Storage accounts are the main storage function of Azure. The creation or modification of storage accounts should be inspected and verified as they can consume resources and incur charges. It can also indicate an attacker activity to get access to internal resources or harm the company system. Mitigation Validate that the change was authorized and intended, revert and further investigate if not. Give special attention to multiple creation events or systemic change of a different accounts that can indicate malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578

No logs from Azure Storage Accounts

This rule detects if there are no logs in the last 4 hours for Azure Storage Accounts in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Storage Account List Keys Audit Trail

Storage Account Listing keys is a critical operation that grants access to the primary and secondary keys used to authenticate and authorize applications or services interacting with the storage account. It is essential to maintain a comprehensive record of these actions for security, compliance, and accountability purposes. Impact The impact ofStorage Account List Keys Audit Trail has various impacts on an organization's security, compliance, and overall data protection practices. Mitigation Validate that the change was authorized and intended, as keys can also be rotated by mistake or without understanding the implication of regenerating them. Rotated keys cannot be reverted back to the old keys, remediation is mainly checking for any depended service and changing the keys to the new keys as necessary. Give special attention to multiple rotation events or systemic change of different accounts that can indicate malicious activity. MITRE Tactic: TA0006 MITRE Technique: T1528

Documentation

Learn more about Coralogix's out-of-the-box integration with Azure Storage Accounts in our documentation.

Read More
Schedule Demo