Skip to main content
Splunk Lantern

Azure storage blobs made public and by who

 

An administrator with sufficient permissions can configure an Azure storage account to allow public access. When public access is allowed, an administrator with the appropriate permissions can modify a container's public access setting within the Azure storage account to enable anonymous public access to the data. Blob data is never available for anonymous public access unless an administrator takes the additional step to explicitly configure the container's public access setting.

​​​​​Data required 

Microsoft: Azure Active Directory audit data

Procedure

  1. Configure the Splunk Add-on for Microsoft Cloud Services.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="mscs:azure:audit" 
| rex field="properties.responseBody" "allowBlobPublicAccess\"\:(?<publicblobsetting>\w+)" 
| stats count BY caller subscriptionId object_attrs action operationName.localizedValue status.value publicblobsetting _time 
| rename caller AS User subscriptionId AS "Subscription ID" object_attrs AS "Object Type" action AS Action operationName.localizedValue AS "Action Description" status.value AS Status publicblobsetting AS "Public Allowed" 
| fields - count 
| sort - _time

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="mscs:azure:audit"

Search only Azure audit data.

|| rex field="properties.responseBody" "allowBlobPublicAccess\"\:(?<publicblobsetting>\w+)" 

Extract whether the public access property was set to true or false.

| stats count BY caller subscriptionId object_attrs action operationName.localizedValue status.value publicblobsetting _time Count by interesting fields.
| rename caller AS User subscriptionId AS "Subscription ID" object_attrs AS "Object Type" action AS Action operationName.localizedValue AS "Action Description" status.value AS Status publicblobsetting AS "Public Allowed"  Rename fields for better readbility.
| fields - count  Remove the count field.
| sort - _time Sort by the most recent events first.

Next steps

The results from this search show when an administrator enables public access at the storage account level through Azure audit logs. This does not mean the data that resides in the storage account and container becomes public. If an Azure storage account is set for public access, this allows containers within the storage account to be modified to allow for public access.

You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.