Query Details

Anonymous Retrieval Of Azure Blob Versions

Query

let VersionEnumeration= StorageBlobLogs
    | where AuthenticationType == "Anonymous"
    | where Uri has "include=versions"
    | extend IPAddress = tostring(split(CallerIpAddress, ':')[0])
    | summarize by ObjectKey, EnumerationTimeGenerated=TimeGenerated, IPAddress;
StorageBlobLogs
| where AuthenticationType == "Anonymous"
| extend IPAddress = tostring(split(CallerIpAddress, ':')[0])
| where OperationName == "GetBlob"
| extend ObjectKeyJSON = parse_path(ObjectKey)
| extend ObjectKey = tostring(ObjectKeyJSON.DirectoryPath)
| extend Filename =  tostring(ObjectKeyJSON.Filename)
| join kind=inner (VersionEnumeration) on ObjectKey, IPAddress
| extend TimeDifference = datetime_diff('minute', TimeGenerated, EnumerationTimeGenerated)
| where TimeDifference between (0 .. 10)

Explanation

This query is designed to detect suspicious activities involving Azure Blob Storage. Specifically, it looks for instances where an unauthenticated (anonymous) user accesses the version history of a storage blob and then downloads a blob from the same location within a 10-minute timeframe. This behavior could indicate an attempt to access sensitive information that might have been present in previous versions of a file, such as credentials or personal data.

Here's a breakdown of the query's components:

  • Version Enumeration: The query first identifies instances where an anonymous user lists the versions of a blob. It captures the IP address and the time of this activity.

  • Blob Download: It then checks for any blob download operations by the same anonymous user from the same IP address.

  • Time Correlation: The query correlates these two activities (version enumeration and blob download) to see if they occur within a 10-minute window.

  • Alert Generation: If such a sequence is detected, an alert is generated. The alert includes details about the file and the IP address involved.

  • Severity and Tactics: The rule is marked with a low severity level and is associated with tactics like Collection and Exfiltration, indicating potential data theft.

  • Incident Management: If an incident is created, it will group related activities within a 5-hour window to provide a comprehensive view of the suspicious behavior.

Overall, this query helps identify potential unauthorized access to sensitive data in Azure Blob Storage by monitoring for specific patterns of anonymous activity.

Details

Fabian Bader profile picture

Fabian Bader

Released: February 5, 2026

Tables

StorageBlobLogs

Keywords

AzureBlobStorageFileIPAddress

Operators

let|wherehasextendtostringsplitsummarizeby=parse_pathjoinkind=innerondatetime_diffbetween

Severity

Low

Tactics

CollectionExfiltration

MITRE Techniques

Frequency: 10m

Period: 12m

Actions

GitHub