Azure API calls indicating Storage account keys access
Description
AlphaSOC detected access to Azure Storage account keys via
Microsoft.Storage/storageAccounts/listKeys/action. Storage account keys
provide full access to all data within the storage account, including blobs,
files, queues, and tables.
Accessing storage keys may indicate reconnaissance or preparation for unauthorized data access and potential exfiltration. Adversaries who obtain storage account keys can access data without going through Azure RBAC controls, making their activities harder to audit and control.
Impact
Storage account keys grant full access to all data and services within the storage account. Because authentication is tied to the key itself rather than a user identity, it becomes difficult to attribute specific operations to an individual user. An attacker who obtains a key can maintain persistent access, bypass RBAC controls, and reduce identity-level visibility in logs.
Severity
| Severity | Condition |
|---|---|
Low | Storage keys accessed |
Medium | Anomalous storage keys access |
Investigation and Remediation
Review Azure Activity logs for
Microsoft.Storage/storageAccounts/listKeys/action events. Identify the
principal that accessed the keys and verify if this was authorized
administrative activity or a sign of credential compromise.
If unauthorized, immediately rotate both storage account keys to invalidate any keys that may have been stolen. Review storage analytics logs for data access patterns indicating exfiltration.
Known False Positives
- Automated actions by Azure internal services or Infrastructure as Code tools