---
title: Anomalous volume of Azure Storage downloads requests from AzCopy user agent
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Anomalous volume of Azure Storage
  downloads requests from AzCopy user agent
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Anomalous volume of Azure Storage downloads requests from AzCopy user agent
Classification:attackTactic:[TA0010-exfiltration](https://attack.mitre.org/tactics/TA0010)Technique:[T1530-data-from-cloud-storage](https://attack.mitre.org/techniques/T1530) 
## Goal{% #goal %}

Detect an anomalous volume of Azure Storage download requests originating from the `AzCopy` command-line utility.

## Strategy{% #strategy %}

This rule monitors Azure Storage logs for `GetBlob` and `GetFile` operations where the user agent contains `AzCopy`, grouped by source IP address. It uses anomaly detection to identify unusual spikes in download volume from a 24-hour baseline. AzCopy is a legitimate Microsoft utility for transferring data to and from Azure Storage, but attackers who have obtained valid credentials may use it to exfiltrate large volumes of data from storage accounts due to its support for bulk parallel transfers.

## Triage and response{% #triage-and-response %}

- Identify the source IP `{{@ocsf.src_endpoint.ip}}` and determine if it belongs to a known internal service, CI/CD pipeline, or authorized user.
- Review the storage accounts and containers targeted by the download requests to assess the sensitivity of the accessed data.
- Check whether the volume of downloads correlates with a known scheduled job such as a backup, migration, or data sync operation.
- Examine Microsoft Entra ID sign-in logs for the associated identity to determine if the session was established through normal authentication or if the credentials used to establish the session may have been compromised.
- Determine if the source IP has been observed performing other unusual storage operations such as listing containers or accessing storage accounts it does not normally interact with.
