Unexpected Azure API calls indicating Storage account modification
Description
AlphaSOC detected modification of an Azure Storage account configuration via
Microsoft.Storage/storageAccounts/write. Storage account settings control
network access rules, encryption, authentication methods, and data protection
features.
Adversaries may modify storage accounts to enable public access, weaken encryption settings, or disable security features. These changes can facilitate data exfiltration, unauthorized access, or preparation for ransomware attacks.
Impact
Storage account configuration changes can weaken data protection and access controls. Attackers may enable public blob access for data exfiltration, disable encryption requirements, or modify network rules to allow external access. Weakened security configurations can expose sensitive data to unauthorized parties.
Severity
| Severity | Condition |
|---|---|
Low | Storage account modification detected |
Medium | Anomalous storage account modification |
Investigation and Remediation
Review Azure Activity logs for Microsoft.Storage/storageAccounts/write events.
Examine the request body to identify what configuration changes were made.
Compare current settings against security baselines to identify any weakened
protections.
If unauthorized, revert the storage account to its secure configuration. Review storage analytics logs for unauthorized data access during the exposure window. Investigate the compromised identity for additional malicious activity. Implement Azure Policy to enforce secure storage account configurations.