Azure Batch Shared Access Key

Detects Azure Batch account shared access key patterns. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.

Type

regex

Engine

universal

Confidence

high

Confidence justification

High confidence: structurally constrained Base64 key pattern with Azure Batch context keywords reduces false positive rates significantly. Added context gating and exclusion rules improve precision and reduce incidental matches.

Detection quality

Mixed

Jurisdictions

global

Regulations

Criminal Code Act 1995 (Cth)

Frameworks

CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2

Data categories

credentials, security

Scope

specific

Risk rating

10

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported

Pattern

(?i)(?:AccountKey|SharedAccessKey|batch[._-]?key)\s*=\s*[A-Za-z0-9+/\s]{43,92}={0,2}

Corroborative evidence keywords

batch, Azure Batch, AccountKey, SharedAccessKey, batch account, batch service, api key, access key, api_key, apikey, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential, database (+43 more)

Proximity: 300 characters

Should match

• AccountKey=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== — Standard Azure Batch account key (88 chars Base64)
• SharedAccessKey=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUV== — Batch shared access key with mixed characters
• batch_key=0000000000000000000000000000000000000000000= — Batch key with numeric test value

Should not match

• AccountKey=shortkey — Too short to be a valid Base64 key
• AccountName=mybatchaccount — Account name, not a key
• template example placeholder record identifier — Template/sample context should be excluded even when anchor words are present

Known false positives

• Configuration templates with placeholder Base64 values for Azure Batch accounts. Mitigation: Check for common placeholder patterns and combine with Azure Batch specific context keywords.
• Other Azure service keys that use similar Base64 encoding format. Mitigation: Use corroborative keywords specific to Azure Batch to differentiate from other Azure services.

References

• Azure Batch shared access key entity definition - Microsoft Learn