AZT703.1 - Replication: Storage Account Replication

By setting up cross-tenant replication, an adversary may set up replication from one tenant's storage account to an external tenant's storage account.

Resource

Azure Storage Account

Actions

• Microsoft.Storage/storageAccounts/write

Examples

Az PowerShellAzure CLIAzure Portal

New-AzStorageObjectReplicationPolicyRule

az storage account or-policy rule add

Detections

Detection Details

A policy can be created to alert when replication is set up.

Logs

Data Source	Operation Name	Action	Log Location
Resource	Put Object Replication Policy	Microsoft.Storage/storageAccounts/objectReplicationPolicies/write	Azure Activity Log

Queries

 |where OperationNameValue=="Microsoft.Storage/storageAccounts/objectReplicationPolicies/write"

Additional Resources

• https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-configure?tabs=portal
• https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-prevent-cross-tenant-policies?tabs=portal