← Back to SOC feed Coverage →

Azure Storage file upload from VPS Providers

kql MEDIUM Azure-Sentinel
T1570
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-04-23T09:00:00Z · Confidence: medium

Hunt Hypothesis

‘Looks for file uploads actions to Azure File and Blob Storage from known VPS provider network ranges. This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent provi

KQL Query


let IP_Data = (externaldata(network:string)
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/VPS_Networks.csv"] with (format="csv"));
union
StorageFileLogs,
StorageBlobLogs
//File upload operations
| where StatusText =~ "Success"
| where OperationName =~ "PutBlob" or OperationName =~ "PutRange"
| evaluate ipv4_lookup(IP_Data, CallerIpAddress, network, return_unmatched = false)
| summarize make_set(OperationName), min(TimeGenerated), max(TimeGenerated) by IPCustomEntity=CallerIpAddress, URLCustomEntity=Uri

Analytic Rule Definition

id: 85e16874-72aa-4ebe-b36e-e45f8ba50f79
name: Azure Storage file upload from VPS Providers
description: |
  'Looks for file uploads actions to Azure File and Blob Storage from known VPS provider network ranges.
  This is not an exhaustive list of VPS provider ranges but covers some of the most prevalent providers observed.'
requiredDataConnectors: []
tactics:
  - LateralMovement
relevantTechniques:
  - T1570
tags:
  - Ignite2021
query: |

  let IP_Data = (externaldata(network:string)
  [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/VPS_Networks.csv"] with (format="csv"));
  union
  StorageFileLogs,
  StorageBlobLogs
  //File upload operations
  | where StatusText =~ "Success"
  | where OperationName =~ "PutBlob" or OperationName =~ "PutRange"
  | evaluate ipv4_lookup(IP_Data, CallerIpAddress, network, return_unmatched = false)
  | summarize make_set(OperationName), min(TimeGenerated), max(TimeGenerated) by IPCustomEntity=CallerIpAddress, URLCustomEntity=Uri  
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
  - entityType: URL
    fieldMappings:
      - identifier: Url
        columnName: URLCustomEntity

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/AzureStorage/AzureStorageUploadFromVPS.yaml