Query Details
Azure Storage First Time Storage Key Enumeration
Query
//Detect when a user retrieves keys for Azure storage for the first time compared to the previous time range
//Data connector required for this query - Azure Activity
let knownusers=
AzureActivity
| where TimeGenerated > ago(90d) and TimeGenerated < ago(1d)
| where OperationName == "List Storage Account Keys"
| where ActivityStatus == "Succeeded"
| project-rename Actor=Caller
| distinct Actor;
AzureActivity
| where TimeGenerated > ago(1d)
| where OperationName == "List Storage Account Keys"
| where ActivityStatus == "Succeeded"
| project-rename Actor=Caller
| where Actor !in (knownusers)
| project
TimeGenerated,
Actor,
['Actor IP Address']=CallerIpAddress,
['Storage Account Name']=Resource,
['Azure Subscription Id']=SubscriptionId,
['Azure Resource Group']=ResourceGroup Explanation
This query is used to detect when a user retrieves keys for Azure storage for the first time compared to the previous time range. It uses the Azure Activity data connector and filters for successful operations where the operation name is "List Storage Account Keys". It then identifies distinct users who have performed this operation in the past 90 days to 1 day ago. In the current time range (past 1 day), it identifies users who have performed the same operation and were not previously identified as known users. The query projects the time generated, user, IP address, storage account name, subscription ID, and resource group for these users.
Details
Matt Zorich
Released: June 17, 2022
Tables
AzureActivity
Keywords
User,AzureActivity,ListStorageAccountKeys,Succeeded,TimeGenerated,Actor,CallerIpAddress,Resource,SubscriptionId,ResourceGroup
Operators
letwhereago==!=inproject-renamedistinct