Successful Azure Storage File Access From Unauthorized Geo Location
Query
let KnownCountries= dynamic([
"United Kingdom",
"Netherland",
"Germany"
]);
StorageFileLogs
| where ingestion_time() > ago(10m)
| where OperationName == "GetFile"
| where StatusCode == "200"
| extend IPAddress = tostring(split(CallerIpAddress, ':')[0])
| extend GeoInformationFromIP = geo_info_from_ip_address(IPAddress)
| extend Country = tostring(GeoInformationFromIP.country)
| extend State = tostring(GeoInformationFromIP.state)
| extend City = tostring(GeoInformationFromIP.city)
| where Country !in (KnownCountries)Explanation
This query is designed to detect unauthorized access to Azure Storage files from unexpected geographical locations. Here's a simple breakdown:
-
Purpose: The query identifies successful file access operations ("GetFile") on Azure Storage accounts from IP addresses outside the organization's allowed countries (United Kingdom, Netherlands, Germany).
-
How it works:
- It checks logs from the last 10 minutes for successful file access (status code 200).
- It extracts the caller's IP address and determines its geographical location.
- It flags access attempts from countries not on the allowed list.
-
Why it's important: Access from unexpected countries could indicate compromised credentials, misconfigured applications, or unauthorized data exfiltration attempts.
-
Severity: The rule is set to a medium severity level.
-
Frequency: The query runs every 10 minutes, analyzing data from the past 13 minutes.
-
Incident Handling: If such access is detected, an incident is created. Incidents are grouped if they involve the same entities within a 5-hour window, but closed incidents are not reopened.
-
Suppression: Alerts are not suppressed, meaning they will trigger every time the condition is met.
This rule helps organizations monitor and secure their Azure Storage by alerting them to potentially unauthorized access from unexpected locations.
Details

Fabian Bader
Released: February 5, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 10m
Period: 13m