Skip to main content
Splunk Lantern

Azure public storage blobs with anonymous access traffic

 

There are several steps that administrators take to make an Azure Storage Blob publicly accessible. This search identifies storage containers that are actively accessed anonymously without authentication. The search also allows you to leverage the data to identify the geographical location of the users accessing your data.

​​​​​Data required 

Microsoft: Azure Event Hub data

Procedure

  1. Configure the Splunk Add-on for Microsoft Cloud Services.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="mscs:azure:eventhub" "body.records.category"=StorageRead "body.records.identity.type"=Anonymous* 
| rex field=_raw "(?:\"callerIpAddress\"\:\s\")(?<IP>\S+)(?:\:)" 
| iplocation IP
| fillnull value="N/A"
| stats count BY IP lat lon City Region Country body.records.category body.records.identity.type body.records.operationName body.records.properties.accountName body.records.properties.objectKey body.records.properties.referrerHeader body.records.properties.userAgentHeader body.records.resourceType _time
| rename body.records.category AS Category body.records.identity.type AS "Auth" body.records.operationName AS Operation body.records.properties.accountName AS "Storage Account" body.records.properties.objectKey AS Path body.records.properties.referrerHeader AS Referrer body.records.properties.userAgentHeader AS UserAgent body.records.resourceType AS ResourceType
| geostats latfield=lat longfield=lon count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype="mscs:azure:eventhub" "body.records.category"=StorageRead "body.records.identity.type"=Anonymous*

Search only Azure Event Hub data and filter to the Storage Read category with an anonymous authentication type.

| rex field=_raw "(?:\"callerIpAddress\"\:\s\")(?<IP>\S+)(?:\:)"  Extract the IP from the callerIpAddress field.
| iplocation IP Identify the geographic location of the caller IP address.
| fillnull value="N/A" Populate null fields with the value N/A.
| stats count BY IP lat lon City Region Country body.records.category body.records.identity.type body.records.operationName body.records.properties.accountName body.records.properties.objectKey body.records.properties.referrerHeader body.records.properties.userAgentHeader body.records.resourceType _time Count by interesting fields related to blob access.
| rename body.records.category AS Category body.records.identity.type AS "Auth" body.records.operationName AS Operation body.records.properties.accountName AS "Storage Account" body.records.properties.objectKey AS Path body.records.properties.referrerHeader AS Referrer body.records.properties.userAgentHeader AS UserAgent body.records.resourceType AS ResourceType Rename fields for better readability.
| geostats latfield=lat longfield=lon count Display the anonymous activity on a map.

Next steps

By default, Azure monitors for storage accounts that are configured to potentially allow public access. They do not alert by default when users are anonymously accessing your data. This search will correllate the data sources so you can see public access accounts with anonymous access traffic. 

If you remove the geostats command and run the search you can review the fields being ingested from Azure.

You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.