Azure API calls indicating role assignment in a storage account
Description
AlphaSOC detected a role assignment to an Azure Storage Account. Adding roles to storage accounts can grant access to sensitive data. Adversaries may assign themselves elevated permissions for persistence or to escalate privileges within the tenant, enabling unauthorized access to stored data.
Impact
Unauthorized role assignments can grant attackers persistent access to storage account contents, including blobs, files, tables, and queues. This may enable data exfiltration, malware distribution via storage, or modification of critical data. Role assignments persist even if the attacker's initial access is revoked.
Severity
| Severity | Condition |
|---|---|
Low | Role assignment in storage account by user for first time |
Investigation and Remediation
Review the role assignment details including the principal being granted access and the assigned role. Verify the identity of the user who created the assignment and confirm the action was authorized. If unauthorized, remove the role assignment immediately, audit storage account access logs, and investigate the user's account for compromise.
Known False Positives
- Legitimate access provisioning for new team members
- Automated provisioning systems granting required permissions
- Infrastructure-as-code deployments managing role assignments