Security Monitoring and Detection Tips for your Storage Account – Part 3

In previous article you learned about different ways to collect Azure Storage account logs. You also learned about a model of centralizing Storage account log. No matter how you want to build, your storage account log should be ready for  getting analyzed.

In this article, let’s poke Advanced Threat Protection that is covered for storage account and to see how an alert looks like in Azure Security Center.

Pre-requisites

Before we can simulate alerts and analyze Storage Account log, there are some pre-requisites

  • Your storage account must have Advanced Threat Protection (ATP) enabled.
  • Azure Activity Log and Log Analytics are streamed to Log Analytics workspace/Event Hub. If you use Event Hub you don’t have to build a message reader utility. You can utilize Process data feature to query Event Hub messages.

For a more like real-world experience, let’s deploy a compliant storage account template here.

Create sample data

Before we make action to trigger Azure Security Alert, let’s build some sample data. You can create container and upload any file in your computer to storage account container. If you are kind of lazy, use my dirty script below:

This script creates 100 *.json file and 5 containers. Each *.json file is like a fake employee data ( FullName  and ID ). All files are uploaded to each container. Each container is also set randomly access level (e.g. Container).

Unusual data exploration in a storage account

When your a storage account has got massive hit Azure Security Center creates an alert to indicate that storage account may be enumerated by someone – reconnaissance. Run the following script and pray Azure Security Center to create an alert

Access from a Tor exit node to a storage account

ATP feature in Storage account can detect if a request comes from a Tor exit node. To simulate this alert type, simply download Tor browser and browse a blob in anonymous access.

An alert when your storage account was accessed from someone using Tor browser/come from Tor network node

You never had an idea where the request was originated from. However, you definitely know that this storage account had a blob(s) that was set public.

Anonymous access to a storage account

This alert can be simulated easily. As long as you have a blob that is accessible anonymously there is a high chance to trigger Azure Security Center. You would need to use a third-party service to browse your blob from another country. This way would also generate an alert “Access from unusual location to a storage account“.

Don’t just stick on one storage account or a blob. Try to browser/send request to different storage account or blob. Not only using 3rd service, you could provision a virtual machine in a different region and send request to the blob URL.

Potential malware uploaded to a storage account

APT is being promised to detect malware in storage account. It would be similar to APT feature you may have seen when working with OneDrive. To simulate malware detection alert, simply pick EICAR testing virus sample and upload to a storage account.

Conclusion

This article is simply to show your Advanced Threat Protection capability for Azure Storage resource type. ATP has some built-in machine learning algorithms to detect unusual access or location so not all alerts can be simulated easily.

We will look into some common attack vectors targeting your storage account.

This entry was posted in Monitoring & Detection and tagged , . Bookmark the permalink.

3 Responses to Security Monitoring and Detection Tips for your Storage Account – Part 3

  1. Pingback: Simulate alerts to be caught by ASC - All about security on Microsoft AzureAll about security on Microsoft Azure

  2. Pingback: Security Monitoring and Detection Tips for your Storage Account – Part 4

  3. Pingback: Enable storage account analytics logging on all storage accounts

Leave a Reply