Azure storage account blob anonymous access is enabled

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2025-03-17
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires: Azure Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Defense Evasion (TA0005) Privilege Escalation (TA0004) Initial Access (TA0001)
ATT&CK Technique	Valid Accounts: Cloud Accounts (T1078.004)
Severity	Informational

Description

It is possible to configure anonymous access to blobs within the storage account.

Attacker's Goals

The attacker wants to maintain indirect control over the resource.
Attackers intend to allow public access, making it harder to detect future activity.
Attackers are constantly monitoring for public assets to steal sensitive information.

Investigative actions

Check if the blobs within the storage account should be accessed from all networks.
Disable public network access or disable blob anonymous access to storage account if needed.
Check if the identity performed additional malicious activity and restrict permissions for the identity if required.