Potential Storage Enumeration Or Brute Force Attack
Query
let AllBlobActions= StorageBlobLogs
| extend IPAddress = tostring(split(CallerIpAddress, ':')[0])
| summarize Count=count() by _ResourceId, AccountName, IPAddress, StatusText, OperationName, Category;
AllBlobActions
| where StatusText == "Success"
| project-rename SuccessCount = Count
| join kind=inner (AllBlobActions
| where StatusText != "Success"
| project-rename NonSuccessCount = Count)
on AccountName, IPAddress
| extend PercentageOfFailedRequests = (todouble(NonSuccessCount) / (toint(SuccessCount) + toint(NonSuccessCount))) * 100
| where PercentageOfFailedRequests > 90Explanation
This query is designed to detect potential malicious activities targeting Azure Blob Storage. It specifically looks for patterns of failed access attempts from a single source IP address where the failure rate exceeds 90%. This high failure rate could indicate malicious intent, such as:
- Blind Enumeration: The attacker might be trying to guess blob names or container structures to find valid resources.
- Brute Force: The attacker could be repeatedly attempting to bypass authentication using incorrect keys or tokens.
- Reconnaissance: The attacker might be mapping out the cloud infrastructure's availability.
The query runs every 5 minutes and analyzes data from the past 6 minutes. It calculates the percentage of failed requests from each IP address and flags those with a failure rate greater than 90%. If such activity is detected, an incident is created with a medium severity level.
The query also includes configurations for incident management, such as grouping related alerts by IP and Azure resource, and suppressing duplicate alerts for 5 hours. The tactics and techniques associated with this activity include Discovery, Credential Access, and Collection, with specific references to MITRE ATT&CK techniques like T1619, T1110, T1580, and T1530.
Details

Fabian Bader
Released: February 5, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 5m
Period: 6m