Detection rules › Panther
Azure Storage Blob Uploaded
Tracks successful blob uploads to Azure Storage accounts.
Rule body yaml
AnalysisType: rule
Filename: azure_storage_blob_uploaded.py
RuleID: "Azure.MonitorActivity.Storage.Blob.Uploaded"
DisplayName: "Azure Storage Blob Uploaded"
Enabled: true
CreateAlert: false
LogTypes:
- Azure.MonitorActivity
Severity: Info
Description: >
Tracks successful blob uploads to Azure Storage accounts.
SummaryAttributes:
- callerIpAddress
- resourceId
Tests:
- Name: Successful Blob Upload
ExpectedResult: true
Log:
{
"time": "2024-12-19T19:14:59.091Z",
"resourceId": "/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount/blobServices/default",
"category": "StorageWrite",
"operationName": "PutBlob",
"operationVersion": "2025-11-05",
"statusCode": 201,
"statusText": "Success",
"callerIpAddress": "5.5.5.5:29713",
"location": "eastus",
"properties": {
"accountName": "mystorageaccount",
"userAgentHeader": "azsdk-python-storage-blob/12.27.1 Python/3.12.9",
"etag": "\"0x8DE3F32E714874F\"",
"serviceType": "blob",
"objectKey": "/mystorageaccount/test/documents/internal_doc_15.txt.ENCRYPTED",
"metricResponseType": "Success",
"serverLatencyMs": 11,
"tlsVersion": "TLS 1.3"
},
"tenantId": "87654321-4321-4321-4321-111111111111"
}
- Name: Case Insensitive Operation
ExpectedResult: true
Log:
{
"time": "2024-12-19T19:14:58.986Z",
"resourceId": "/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount/blobServices/default",
"operationName": "putblob",
"statusCode": 201,
"callerIpAddress": "5.5.5.5:29713",
"location": "eastus",
"properties": {
"accountName": "mystorageaccount",
"objectKey": "/mystorageaccount/test/documents/file.txt",
"metricResponseType": "Success"
},
"tenantId": "87654321-4321-4321-4321-111111111111"
}
- Name: Different Operation
ExpectedResult: false
Log:
{
"time": "2024-12-19T16:37:59.255Z",
"resourceId": "/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount/blobServices/default",
"operationName": "DeleteBlob",
"callerIpAddress": "203.0.113.10:28915",
"location": "eastus",
"properties": {
"accountName": "mystorageaccount",
"metricResponseType": "Success",
"objectKey": "/mystorageaccount/corporate-files/documents/internal_doc_13.txt"
},
"tenantId": "87654321-4321-4321-4321-210987654321"
}
Detection logic
Condition
operationName eq "PUTBLOB"
properties.metricResponseType eq "Success"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
operationName | eq |
|
properties.metricResponseType | eq |
|