Azure snapshot export URI created

Classification:

attack

Tactic:

Technique:

Goal

Detect if an Azure snapshot is exported. Export URLs generated in Azure are accessible to anyone with the URL.

Monitor Azure logs where @evt.name is "MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION" and @evt.outcome is Success.

Verify the snapshot (@resourceId) has a legitimate reason for being exported.
If the activity is not expected, investigate the activity around the IP ({{@network.client.ip}}) creating the export URL.