I received an email from Azure Security Center that caught my attention, but in reality was putting all of my advice on this blog to work. The email indicated that a security alert had been triggered for a suspicious amount of data being deleted from an Azure storage account. The summary of the email is shown below:

What could this alert be? Let’s investigate!

The alert in email was a link to a more comprehensive report (in the View Alert link in the email) that was generated from Azure Security Center which I set up a few weeks ago. Note that I did not get an Azure Advisor alert for this situation. The email alert included the source IP address of the operations, so I had indication that it was not a true breach; but in line with the activity of this data (more on that in a bit). The full alert has much more information including how many blobs, how much data and what operations were used to delete this data. Here is a view of some of that information:

The full Azure Security Center alert has all the details you need!

What also was helpful was at the bottom of this alert was some questions around if this was a true threat or if this was not so that future Security Center Alerts for this scenario are treated correctly. This is smart so it can prevent alerts for false positives if this is normal behavior for your Azure usage.

For this particular storage account, this was expected behavior. This particular set of blobs are backup data, and what transpired is that a certain amount of data has aged out of retention. This is a new storage account that was set up recently and this data was due to age out, so not a true alert. But what was really impressive about the Azure Security Center alert is that the “User Agent” field of the alert along with the operation types tells me exactly how the blobs were deleted. Doesn’t explain why (that’s the retention part), but this is a very comprehensive alert from Azure Security Center that makes me feel good to know that I have good visibility into the activities on the Azure storage accounts.

How do you interpret Azure Security Center Alerts? Each Azure service likely has different alerts, share your tips below on them.

Advertisements