Query Details

Potential Storage Enumeration Or Brute Force Attack

Query

let AllBlobActions= StorageBlobLogs
    | extend IPAddress = tostring(split(CallerIpAddress, ':')[0])
    | summarize Count=count() by _ResourceId, AccountName, IPAddress, StatusText, OperationName, Category;
AllBlobActions
| where StatusText == "Success"
| project-rename SuccessCount = Count
| join kind=inner (AllBlobActions
    | where StatusText != "Success"
    | project-rename NonSuccessCount = Count)
    on AccountName, IPAddress
| extend PercentageOfFailedRequests = (todouble(NonSuccessCount) / (toint(SuccessCount) + toint(NonSuccessCount))) * 100
| where PercentageOfFailedRequests > 90

Explanation

This query is designed to detect potential malicious activities targeting Azure Blob Storage. It specifically looks for patterns of failed access attempts from a single source IP address where the failure rate exceeds 90%. This high failure rate could indicate malicious intent, such as:

  1. Blind Enumeration: The attacker might be trying to guess blob names or container structures to find valid resources.
  2. Brute Force: The attacker could be repeatedly attempting to bypass authentication using incorrect keys or tokens.
  3. Reconnaissance: The attacker might be mapping out the cloud infrastructure's availability.

The query runs every 5 minutes and analyzes data from the past 6 minutes. It calculates the percentage of failed requests from each IP address and flags those with a failure rate greater than 90%. If such activity is detected, an incident is created with a medium severity level.

The query also includes configurations for incident management, such as grouping related alerts by IP and Azure resource, and suppressing duplicate alerts for 5 hours. The tactics and techniques associated with this activity include Discovery, Credential Access, and Collection, with specific references to MITRE ATT&CK techniques like T1619, T1110, T1580, and T1530.

Details

Fabian Bader profile picture

Fabian Bader

Released: February 5, 2026

Tables

StorageBlobLogs

Keywords

AzureBlobStorage

Operators

letextendtostringsplitsummarizecountbyproject-renamejoinkindontodoubletointwhere

Severity

Medium

Tactics

DiscoveryCredentialAccessCollection

MITRE Techniques

Frequency: 5m

Period: 6m

Actions

GitHub