This alert detects when a configuration of a storage account has allowed public access to it's blob storage. Blob storage are files storages, if not authorized, allowing public access to them might compromise internal network information. This alert indicate that the ability to expose a blob storage to the internet through ACLs has been enabled, not that a blob storage is currently exposed to the world. Impact Blob storage containers are the flat file storage entities of Azure. The enabling of public access to blob storage containers should be inspected and verified as they can expose company information to the world. It can also indicate an attacker activity to expose internal network resources to the world to harm or exfiltrate them. Mitigation Validate that the change was authorized and intended, revert and further investigate if not. Give special attention to multiple exposure events or systemic change as they can indicate malicious activity. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert detects when a Storage account was deleted. Impact Storage accounts are the main storage function of Azure. The deletion of a storage accounts should be inspected and verified as it could be an attacker trying to harm the system. Mitigation Validate that the deletion was authorized and intended, restore account and further investigate if not. Give special attention to multiple deletion events that can indicate malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert detects when an blob storage container was created, modified or restored. Impact blob storage containers are the flat file storage entities of Azure. The creation or modification of blob storage containers should be inspected and verified as they can consume resources and incur charges. It can also indicate an attacker activity to get access to internal resources or harm the company system. Mitigation Validate that the change was authorized and intended, revert and further investigate if not. Give special attention to multiple creation or modification events or systemic change as they can indicate malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert detects when an storage account key was regenerated. Storage accounts keys are the main way to access Azure storage accounts. A regenerated key means that the access through the old keys was revoked and that new keys are needed in any service that needs access to that account. Note that rotating keys can also be a security preventive measure to block access if there is a suspicion that the old keys were compromised. Impact An attacker can regenerate keys to block access to a storage account and allow himself sole access to an account. The creation of new keys should be inspected and verified as legitimate as it could indicate malicious activity (intended or not). Mitigation Validate that the change was authorized and intended, as keys can also be rotated by mistake or without understanding the implication of regenerating them. Rotated keys cannot be reverted back to the old keys, remediation is mainly checking for any depended service and changing the keys to the new keys as necessary. Give special attention to multiple rotation events or systemic change of different accounts that can indicate malicious activity. MITRE Tactic: TA0006 MITRE Technique: T1528

This alert detects when an Storage account was created, modified or restored. Impact Storage accounts are the main storage function of Azure. The creation or modification of storage accounts should be inspected and verified as they can consume resources and incur charges. It can also indicate an attacker activity to get access to internal resources or harm the company system. Mitigation Validate that the change was authorized and intended, revert and further investigate if not. Give special attention to multiple creation events or systemic change of a different accounts that can indicate malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578

This rule detects if there are no logs in the last 4 hours for Azure Storage Accounts in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Storage Account Listing keys is a critical operation that grants access to the primary and secondary keys used to authenticate and authorize applications or services interacting with the storage account. It is essential to maintain a comprehensive record of these actions for security, compliance, and accountability purposes. Impact The impact ofStorage Account List Keys Audit Trail has various impacts on an organizations security, compliance, and overall data protection practices. Mitigation Validate that the change was authorized and intended, as keys can also be rotated by mistake or without understanding the implication of regenerating them. Rotated keys cannot be reverted back to the old keys, remediation is mainly checking for any depended service and changing the keys to the new keys as necessary. Give special attention to multiple rotation events or systemic change of different accounts that can indicate malicious activity. MITRE Tactic: TA0006 MITRE Technique: T1528"