KQL Search

Query Details

HomeAI ToolsDevice Query

Successful Azure Storage File Access From Unauthorized Geo Location

Query

id: 2241780d-90b1-4142-af41-6ee218d03b88
name: Successful Azure Storage File Access from Unauthorized Geo-Location
version: 1.0.0
kind: Scheduled
description: |-
  This analytics rule detects successful "GetFile" operations performed on Azure Storage accounts from IP addresses located outside of the organization's designated allowed countries (United Kingdom, Netherlands, Germany).

  The query analyzes StorageFileLogs for successful status codes (200) and resolves the caller's IP address to its geolocation. Access attempts from unexpected countries may indicate compromised credentials, a misconfigured application, or unauthorized data exfiltration attempts.
severity: Medium
queryFrequency: 10m
queryPeriod: 13m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
- InitialAccess
relevantTechniques:
- T1530
- T1078
query: |-
  let KnownCountries= dynamic([
      "United Kingdom",
      "Netherland",
      "Germany"
      ]);
  StorageFileLogs
  | where ingestion_time() > ago(10m)
  | where OperationName == "GetFile"
  | where StatusCode == "200"
  | extend IPAddress = tostring(split(CallerIpAddress, ':')[0])
  | extend GeoInformationFromIP = geo_info_from_ip_address(IPAddress)
  | extend Country = tostring(GeoInformationFromIP.country)
  | extend State = tostring(GeoInformationFromIP.state)
  | extend City = tostring(GeoInformationFromIP.city)
  | where Country !in (KnownCountries)
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
suppressionDuration: 5h

Explanation

This query is designed to detect unauthorized access to Azure Storage files from unexpected geographical locations. Here's a simple breakdown:

  • Purpose: The query identifies successful file access operations ("GetFile") on Azure Storage accounts from IP addresses outside the organization's allowed countries (United Kingdom, Netherlands, Germany).

  • How it works:

    • It checks logs from the last 10 minutes for successful file access (status code 200).
    • It extracts the caller's IP address and determines its geographical location.
    • It flags access attempts from countries not on the allowed list.

  • Why it's important: Access from unexpected countries could indicate compromised credentials, misconfigured applications, or unauthorized data exfiltration attempts.

  • Severity: The rule is set to a medium severity level.

  • Frequency: The query runs every 10 minutes, analyzing data from the past 13 minutes.

  • Incident Handling: If such access is detected, an incident is created. Incidents are grouped if they involve the same entities within a 5-hour window, but closed incidents are not reopened.

  • Suppression: Alerts are not suppressed, meaning they will trigger every time the condition is met.

This rule helps organizations monitor and secure their Azure Storage by alerting them to potentially unauthorized access from unexpected locations.

Details

Fabian Bader profile picture

Fabian Bader

Released: February 5, 2026

Tables

StorageFileLogs

Keywords

AzureStorageAccountsGeo-LocationIPAddressesCountries

Operators

letdynamicingestion_timeagowhere==extendtostringsplitgeo_info_from_ip_address!in

Actions