Query Details

Successful Azure Storage File Access From Unauthorized Geo Location

Query

let KnownCountries= dynamic([
    "United Kingdom",
    "Netherland",
    "Germany"
    ]);
StorageFileLogs
| where ingestion_time() > ago(10m)
| where OperationName == "GetFile"
| where StatusCode == "200"
| extend IPAddress = tostring(split(CallerIpAddress, ':')[0])
| extend GeoInformationFromIP = geo_info_from_ip_address(IPAddress)
| extend Country = tostring(GeoInformationFromIP.country)
| extend State = tostring(GeoInformationFromIP.state)
| extend City = tostring(GeoInformationFromIP.city)
| where Country !in (KnownCountries)

Explanation

This query is designed to detect unauthorized access to Azure Storage files from unexpected geographical locations. Here's a simple breakdown:

  • Purpose: The query identifies successful file access operations ("GetFile") on Azure Storage accounts from IP addresses outside the organization's allowed countries (United Kingdom, Netherlands, Germany).

  • How it works:

    • It checks logs from the last 10 minutes for successful file access (status code 200).
    • It extracts the caller's IP address and determines its geographical location.
    • It flags access attempts from countries not on the allowed list.
  • Why it's important: Access from unexpected countries could indicate compromised credentials, misconfigured applications, or unauthorized data exfiltration attempts.

  • Severity: The rule is set to a medium severity level.

  • Frequency: The query runs every 10 minutes, analyzing data from the past 13 minutes.

  • Incident Handling: If such access is detected, an incident is created. Incidents are grouped if they involve the same entities within a 5-hour window, but closed incidents are not reopened.

  • Suppression: Alerts are not suppressed, meaning they will trigger every time the condition is met.

This rule helps organizations monitor and secure their Azure Storage by alerting them to potentially unauthorized access from unexpected locations.

Details

Fabian Bader profile picture

Fabian Bader

Released: February 5, 2026

Tables

StorageFileLogs

Keywords

AzureStorageAccountsGeo-LocationIPAddressesCountries

Operators

letdynamicingestion_timeagowhere==extendtostringsplitgeo_info_from_ip_address!in

Severity

Medium

Tactics

CollectionInitialAccess

MITRE Techniques

Frequency: 10m

Period: 13m

Actions

GitHub