Azure Defender: Unusual unauthenticated access to your storage account
Investigating Azure Defender Unusual unauthenticated access to your storage account. What is the $web container?
![Azure Defender: Unusual unauthenticated access to your storage account](/content/images/size/w2000/2021/10/azure-defender2.jpg)
Had a brief head scratching moment today with an Azure Defender alert.
A production storage account with a $web container that's apparently been accessed anonymously without SAS token or other authentication. Initially not an ideal situation with a prod resource....
![](https://www.cyber.engineer/content/images/2021/10/image-3.png)
Checking public access level
First port of call is to check the public access level for the container. In this case, I was presented with access level "Private" for this container.
This will confuse analysts as it did me....
![](https://www.cyber.engineer/content/images/2021/10/image-5.png)
What is the $web container?
In a storage account you can store a static website, which can be enabled via "Static website" under "Data Management". As soon as you enable this the "$web" container is created which is used to host your web files. See below.
![](https://www.cyber.engineer/content/images/2021/10/image-4.png)
Understanding $web container access level
"You can modify the public access level of the $web container, but this has no impact on the primary static website endpoint because these files are served through anonymous access requests. That means public (read-only) access to all files."
Disabling public access on a storage account does not affect static websites that are hosted in that storage account.
The key to the question is here:
![](https://docs.microsoft.com/en-us/media/logos/logo-ms-social.png)
Essentially, if you "Disable public access to blobs" in a storage account it will not apply to a $web container, as it is assumed that web request (anonymous) activity will occur seeing as you/they are hosting a static website.
I hope that clears things up
Have a good day!
More about Azure Defender here:
![](https://azurecomcdn.azureedge.net/cvt-cc68f2b69daef0b8cccd47153a26d3150615594f4471a2d80e6bd44b53d7c3df/images/shared/social/azure-icon-250x250.png)
Update 09/11/2021
Had an email from Microsoft - they've had issues their side for a week due to a patch for storage containers which has seen been reversed. This also may have caused these alerts to flag.