Anonymous Retrieval Of Azure Blob Versions
Query
let VersionEnumeration= StorageBlobLogs
| where AuthenticationType == "Anonymous"
| where Uri has "include=versions"
| extend IPAddress = tostring(split(CallerIpAddress, ':')[0])
| summarize by ObjectKey, EnumerationTimeGenerated=TimeGenerated, IPAddress;
StorageBlobLogs
| where AuthenticationType == "Anonymous"
| extend IPAddress = tostring(split(CallerIpAddress, ':')[0])
| where OperationName == "GetBlob"
| extend ObjectKeyJSON = parse_path(ObjectKey)
| extend ObjectKey = tostring(ObjectKeyJSON.DirectoryPath)
| extend Filename = tostring(ObjectKeyJSON.Filename)
| join kind=inner (VersionEnumeration) on ObjectKey, IPAddress
| extend TimeDifference = datetime_diff('minute', TimeGenerated, EnumerationTimeGenerated)
| where TimeDifference between (0 .. 10)Explanation
This query is designed to detect suspicious activities involving Azure Blob Storage. Specifically, it looks for instances where an unauthenticated (anonymous) user accesses the version history of a storage blob and then downloads a blob from the same location within a 10-minute timeframe. This behavior could indicate an attempt to access sensitive information that might have been present in previous versions of a file, such as credentials or personal data.
Here's a breakdown of the query's components:
-
Version Enumeration: The query first identifies instances where an anonymous user lists the versions of a blob. It captures the IP address and the time of this activity.
-
Blob Download: It then checks for any blob download operations by the same anonymous user from the same IP address.
-
Time Correlation: The query correlates these two activities (version enumeration and blob download) to see if they occur within a 10-minute window.
-
Alert Generation: If such a sequence is detected, an alert is generated. The alert includes details about the file and the IP address involved.
-
Severity and Tactics: The rule is marked with a low severity level and is associated with tactics like Collection and Exfiltration, indicating potential data theft.
-
Incident Management: If an incident is created, it will group related activities within a 5-hour window to provide a comprehensive view of the suspicious behavior.
Overall, this query helps identify potential unauthorized access to sensitive data in Azure Blob Storage by monitoring for specific patterns of anonymous activity.
Details

Fabian Bader
Released: February 5, 2026
Tables
Keywords
Operators
Severity
LowTactics
Frequency: 10m
Period: 12m