Azure storage blobs made public and by who
An administrator with sufficient permissions can configure an Azure storage account to allow public access. When public access is allowed, an administrator with the appropriate permissions can modify a container's public access setting within the Azure storage account to enable anonymous public access to the data. Blob data is never available for anonymous public access unless an administrator takes the additional step to explicitly configure the container's public access setting.
Data required
Microsoft: Azure Active Directory audit data
Procedure
- Configure the Splunk Add-on for Microsoft Cloud Services.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="mscs:azure:audit" | rex field="properties.responseBody" "allowBlobPublicAccess\"\:(?<publicblobsetting>\w+)" | stats count BY caller subscriptionId object_attrs action operationName.localizedValue status.value publicblobsetting _time | rename caller AS User subscriptionId AS "Subscription ID" object_attrs AS "Object Type" action AS Action operationName.localizedValue AS "Action Description" status.value AS Status publicblobsetting AS "Public Allowed" | fields - count | sort - _time
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype="mscs:azure:audit" |
Search only Azure audit data. |
|| rex field="properties.responseBody" "allowBlobPublicAccess\"\:(?<publicblobsetting>\w+)" |
Extract whether the public access property was set to true or false. |
| stats count BY caller subscriptionId object_attrs action operationName.localizedValue status.value publicblobsetting _time | Count by interesting fields. |
| rename caller AS User subscriptionId AS "Subscription ID" object_attrs AS "Object Type" action AS Action operationName.localizedValue AS "Action Description" status.value AS Status publicblobsetting AS "Public Allowed" | Rename fields for better readbility. |
| fields - count | Remove the count field. |
| sort - _time | Sort by the most recent events first. |
Next steps
The results from this search show when an administrator enables public access at the storage account level through Azure audit logs. This does not mean the data that resides in the storage account and container becomes public. If an Azure storage account is set for public access, this allows containers within the storage account to be modified to allow for public access.
You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.