Azure Storage Azure-Microsoft.Storage

8 operations, identified by operationName in the audit log.

operationName	Description
_catch_all	Catch-all for Azure-Microsoft.Storage rules matching the resource provider but no specific operation.
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action	Changes the ownership of a blob in a storage account container (Azure Data Lake Storage Gen2 POSIX-style ACL).
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action	Modifies the POSIX permissions of a blob in an ADLS Gen2 container.
Microsoft.Storage/storageAccounts/blobServices/containers/write	Creates or updates a blob container within a storage account, including access level and metadata.
Microsoft.Storage/storageAccounts/delete	Deletes a storage account and all its data; used in destructive attacks or data-destruction scenarios.
Microsoft.Storage/storageAccounts/listKeys/action	Retrieves the access keys for a storage account, granting full data-plane access; a high-value credential-harvesting operation.
Microsoft.Storage/storageAccounts/regenerateKey/action	Regenerates an access key for a storage account, rotating credentials or locking out legitimate key holders.
Microsoft.Storage/storageAccounts/write	Creates or updates a storage account, including configuration of network rules, encryption, and access tiers.

_catch_all: Azure Storage (catch-all)

Resource provider: Azure-Microsoft.Storage

Description

Catch-all for Azure-Microsoft.Storage rules matching the resource provider but no specific operation.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action

Resource provider: Azure-Microsoft.Storage

Description

Changes the ownership of a blob in a storage account container (Azure Data Lake Storage Gen2 POSIX-style ACL).

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Elastic #

Azure Blob Storage Permissions Modified source medium: Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.↳ also matches Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action

Resource provider: Azure-Microsoft.Storage

Description

Modifies the POSIX permissions of a blob in an ADLS Gen2 container.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Elastic #

Azure Blob Storage Permissions Modified source medium: Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.↳ also matches Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Storage/storageAccounts/blobServices/containers/write

Resource provider: Azure-Microsoft.Storage

Description

Creates or updates a blob container within a storage account, including access level and metadata.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Elastic #

Azure Blob Storage Container Access Level Modified source low: Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Storage/storageAccounts/delete

Resource provider: Azure-Microsoft.Storage

Description

Deletes a storage account and all its data; used in destructive attacks or data-destruction scenarios.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`azure.activitylogs.identity.claims_initiated_by_user.name`	is_not_null		2 rules	elastic
`azure.activitylogs.operation_name`	eq	`MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE`	2 rules	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Azure Storage Account Deletion by Unusual User source medium: Identifies when an Azure Storage Account is deleted. Adversaries may delete storage accounts to disrupt operations, destroy evidence, or cause denial of service. This activity could indicate an attacker attempting to cover their tracks after data exfiltration or as part of a destructive attack. Monitoring storage account deletions is critical for detecting potential impact on business operations and data availability.
Azure Storage Account Deletions by User source high: Identifies when a single user or service principal deletes multiple Azure Storage Accounts within a short time period. This behavior may indicate an adversary attempting to cause widespread service disruption, destroy evidence, or execute a destructive attack such as ransomware. Mass deletion of storage accounts can have severe business impact and is rarely performed by legitimate administrators except during controlled decommissioning activities.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Storage/storageAccounts/listKeys/action

Resource provider: Azure-Microsoft.Storage

Description

Retrieves the access keys for a storage account, granting full data-plane access; a high-value credential-harvesting operation.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ActivityStatusValue`	eq	`Success`	2 rules	kusto
`azure.activitylogs.identity.authorization.evidence.principal_type`	eq	`User`	1 rule	elastic
`count_`	ge	`5`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Elastic #

Azure Storage Account Keys Accessed by Privileged User source medium: Identifies unusual high-privileged access to Azure Storage Account keys by users with Owner, Contributor, or Storage Account Contributor roles. This technique was observed in STORM-0501 ransomware campaigns where compromised identities with high-privilege Azure RBAC roles retrieved access keys to perform unauthorized operations on Storage Accounts. Microsoft recommends using Shared Access Signature (SAS) models instead of direct key access for improved security. This rule detects when a user principal with high-privilege roles accesses storage keys for the first time in 7 days.

Kusto #

New CloudShell User source low: Identifies when a user creates an Azure CloudShell for the first time. Monitor this activity to ensure only the expected users are using CloudShell.↳ also matches Microsoft.Storage/storageAccounts/write
Rare subscription-level operations in Azure source low: This query looks for a few sensitive subscription-level events based on Azure Activity Logs. For example, this monitors for the operation name 'Create or Update Snapshot', which is used for creating backups but could be misused by attackers to dump hashes or extract sensitive information from the disk.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Storage/storageAccounts/regenerateKey/action

Resource provider: Azure-Microsoft.Storage

Description

Regenerates an access key for a storage account, rotating credentials or locking out legitimate key holders.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`event.outcome`	in	`Success`	1 rule	elastic
`event.outcome`	in	`success`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Azure Storage Account Key Regenerated source low: Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Storage/storageAccounts/write

Resource provider: Azure-Microsoft.Storage

Description

Creates or updates a storage account, including configuration of network rules, encryption, and access tiers.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ActivityStatusValue`	eq	`Success`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Elastic #

Azure Storage Account Blob Public Access Enabled source medium: Identifies when Azure Storage Account Blob public access is enabled, allowing external access to blob containers. This technique was observed in cloud ransom-based campaigns where threat actors modified storage accounts to expose non-remotely accessible accounts to the internet for data exfiltration. Adversaries abuse the Microsoft.Storage/storageAccounts/write operation to modify public access settings.

Kusto #

New CloudShell User source low: Identifies when a user creates an Azure CloudShell for the first time. Monitor this activity to ensure only the expected users are using CloudShell.↳ also matches Microsoft.Storage/storageAccounts/listKeys/action

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)