Query Details
Anonymous Retrieval Of Azure Blob Versions
Query
id: 5f5f0290-f529-461b-bf2f-dbd79348988e
name: Anonymous Retrieval of Azure Blob Versions
version: 1.0.0
kind: Scheduled
description: |-
This rule detects a sequence of suspicious activities where an unauthenticated (anonymous) source enumerates the version history of a storage blob and subsequently downloads a blob from the same path within a 10-minute window.
While public access to storage containers may be intentional, attackers frequently target these containers to look for "soft-deleted" data or previous versions of files. They do this to uncover sensitive information (such as hardcoded credentials, API keys, or PII) that may have been present in an older version of a file but removed in the current "live" version.
severity: Low
queryFrequency: 10m
queryPeriod: 12m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1530
- T1567
query: |-
let VersionEnumeration= StorageBlobLogs
| where AuthenticationType == "Anonymous"
| where Uri has "include=versions"
| extend IPAddress = tostring(split(CallerIpAddress, ':')[0])
| summarize by ObjectKey, EnumerationTimeGenerated=TimeGenerated, IPAddress;
StorageBlobLogs
| where AuthenticationType == "Anonymous"
| extend IPAddress = tostring(split(CallerIpAddress, ':')[0])
| where OperationName == "GetBlob"
| extend ObjectKeyJSON = parse_path(ObjectKey)
| extend ObjectKey = tostring(ObjectKeyJSON.DirectoryPath)
| extend Filename = tostring(ObjectKeyJSON.Filename)
| join kind=inner (VersionEnumeration) on ObjectKey, IPAddress
| extend TimeDifference = datetime_diff('minute', TimeGenerated, EnumerationTimeGenerated)
| where TimeDifference between (0 .. 10)
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: File
fieldMappings:
- identifier: Directory
columnName: ObjectKey
- identifier: Name
columnName: Filename
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
suppressionDuration: 5h
Explanation
This query is designed to detect suspicious activities involving Azure Blob Storage. Specifically, it looks for instances where an unauthenticated (anonymous) user accesses the version history of a storage blob and then downloads a blob from the same location within a 10-minute timeframe. This behavior could indicate an attempt to access sensitive information that might have been present in previous versions of a file, such as credentials or personal data.
Here's a breakdown of the query's components:
-
Version Enumeration: The query first identifies instances where an anonymous user lists the versions of a blob. It captures the IP address and the time of this activity.
-
Blob Download: It then checks for any blob download operations by the same anonymous user from the same IP address.
-
Time Correlation: The query correlates these two activities (version enumeration and blob download) to see if they occur within a 10-minute window.
-
Alert Generation: If such a sequence is detected, an alert is generated. The alert includes details about the file and the IP address involved.
-
Severity and Tactics: The rule is marked with a low severity level and is associated with tactics like Collection and Exfiltration, indicating potential data theft.
-
Incident Management: If an incident is created, it will group related activities within a 5-hour window to provide a comprehensive view of the suspicious behavior.
Overall, this query helps identify potential unauthorized access to sensitive data in Azure Blob Storage by monitoring for specific patterns of anonymous activity.
Details
Fabian Bader
Released: February 5, 2026
Tables
Keywords
Operators