Unexpected Azure API calls indicating blob container modification
Description
AlphaSOC detected modification of an Azure Blob Storage container via the
Microsoft.Storage/storageAccounts/blobServices/containers/write action.
Container modifications can alter access levels, metadata, or immutability
policies that protect stored data.
Adversaries may modify container settings to enable public access, weaken immutability protections, or change access tiers as part of data exfiltration or tampering activities. This detection specifically targets modifications rather than new container creation.
Impact
Container modifications can expose sensitive data by enabling public access, remove legal hold or immutability protections designed to prevent data tampering, or alter access policies to grant unauthorized principals access. Changes to container settings may be a precursor to data exfiltration or destruction.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Two unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs for the container modification and identify the principal responsible. Examine the specific changes made, particularly access level modifications or immutability policy changes. Check the container's current configuration against organizational policies.
If unauthorized, revert the container settings to their secure state and rotate credentials for the affected identity. Audit the container contents for unauthorized access or modifications. Implement Azure Policy to enforce container security requirements.
Known False Positives
- Legitimate storage administration and optimization
- Application deployments updating container metadata
- Data lifecycle management activities