Azure storage account was publicly shared

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2025-03-17
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires: Azure Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Defense Evasion (TA0005) Privilege Escalation (TA0004) Initial Access (TA0001)
ATT&CK Technique	Valid Accounts: Cloud Accounts (T1078.004)
Severity	Informational

Description

Azure Storage Account network permissions modified to public, exposing data to any network and unauthorized identities.

Attacker's Goals

Attackers want to maintain indirect control over the resource.
Attackers intend to allow public access, making it harder to detect future activity.
Attackers are constantly monitoring for public assets to steal sensitive information.

Investigative actions

Check if the storage account should be accessed from all networks.
Disable public network access if needed.
Check if the identity performed additional malicious activity and restrict permissions for the identity if required.