KQL Search

Query Details

Potential Storage Enumeration Or Brute Force Attack

Query

id: 1c512bde-efba-4bea-a02e-bc63bd1298a3
name: Potential Storage Enumeration or Brute Force Attack
version: 1.0.0
kind: Scheduled
description: |-
  Detected a pattern of failed access attempts against Azure Blob Storage where the failure rate exceeded 90% for a single source IP.

  This activity indicated potential malicious intent, specifically:
  * Blind Enumeration: The source IP likely attempted to guess blob names or container structures to discover valid resources.
  * Brute Force: The source likely attempted repeatedly to bypass authentication using invalid keys or tokens.
  * Reconnaissance: The source appeared to be mapping cloud infrastructure availability.
severity: Medium
queryFrequency: 5m
queryPeriod: 6m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
- CredentialAccess
- Collection
relevantTechniques:
- T1619
- T1110
- T1580
- T1530
query: |
  let AllBlobActions= StorageBlobLogs
      | extend IPAddress = tostring(split(CallerIpAddress, ':')[0])
      | summarize Count=count() by _ResourceId, AccountName, IPAddress, StatusText, OperationName, Category;
  AllBlobActions
  | where StatusText == "Success"
  | project-rename SuccessCount = Count
  | join kind=inner (AllBlobActions
      | where StatusText != "Success"
      | project-rename NonSuccessCount = Count)
      on AccountName, IPAddress
  | extend PercentageOfFailedRequests = (todouble(NonSuccessCount) / (toint(SuccessCount) + toint(NonSuccessCount))) * 100
  | where PercentageOfFailedRequests > 90
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: Selected
    groupByEntities:
    - IP
    - AzureResource
    groupByAlertDetails: []
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
- entityType: AzureResource
  fieldMappings:
  - identifier: ResourceId
    columnName: _ResourceId
suppressionDuration: 5h

Explanation

This query is designed to detect potential malicious activities targeting Azure Blob Storage. It specifically looks for patterns of failed access attempts from a single source IP address where the failure rate exceeds 90%. This high failure rate could indicate malicious intent, such as:

  1. Blind Enumeration: The attacker might be trying to guess blob names or container structures to find valid resources.
  2. Brute Force: The attacker could be repeatedly attempting to bypass authentication using incorrect keys or tokens.
  3. Reconnaissance: The attacker might be mapping out the cloud infrastructure's availability.

The query runs every 5 minutes and analyzes data from the past 6 minutes. It calculates the percentage of failed requests from each IP address and flags those with a failure rate greater than 90%. If such activity is detected, an incident is created with a medium severity level.

The query also includes configurations for incident management, such as grouping related alerts by IP and Azure resource, and suppressing duplicate alerts for 5 hours. The tactics and techniques associated with this activity include Discovery, Credential Access, and Collection, with specific references to MITRE ATT&CK techniques like T1619, T1110, T1580, and T1530.

Details

Fabian Bader profile picture

Fabian Bader

Released: February 5, 2026

Tables

StorageBlobLogs

Keywords

AzureBlobStorage

Operators

letextendtostringsplitsummarizecountbyproject-renamejoinkindontodoubletointwhere

Actions