Managed Sentinel – Alert 008

Alert IDMS-A008
Alert NameAzure storage key enumeration
DescriptionThe query below generates known clusters of ip address per caller, notice that users which only had single operations do not appear in this list as we cannot learn from it their normal activity (only based on a single event).
Source: Github - Microsoft
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsInitial Access
Log sourcesAzure Activity
False Positives
RecommendationsListing of storage keys is an interesting operation in Azure which might expose additional secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this type, it would be interesting to see if the account performing this activity or the source IP address from which it is being done is anomalous. The activities for listing storage account keys is correlated with this learned clusters of expected activities and activity which is not expected is returned.