Azure SAS

Detects Azure Shared Access Signature (SAS) token patterns. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.

Type

regex

Engine

universal

Confidence

high

Confidence justification

High confidence: the sv= date parameter combined with sig= signature parameter is a unique structural pattern for Azure SAS tokens. Added context gating and exclusion rules improve precision and reduce incidental matches.

Detection quality

Not detected

Jurisdictions

global

Regulations

Criminal Code Act 1995 (Cth)

Frameworks

CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2

Data categories

credentials, security

Scope

specific

Risk rating

10

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported

Pattern

(?i)[?&]sv=\d{4}-\d{2}-\d{2}&[a-z]+=\s*&sig=[A-Za-z0-9%+/=]+

Corroborative evidence keywords

SAS, shared access signature, sv=, sig=, Azure, blob, storage, container, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie (+45 more)

Proximity: 300 characters

Should match

• ?sv=2021-06-08&ss=b&srt=sco&sp=rwdlacitfx&se=2025-01-01T00:00:00Z&st=2024-01-01T00:00:00Z&spr=https&sig=AAAAAAAAAAAAAAAAAAA%3D — Azure Storage SAS token
• ?sv=2020-08-04&sr=c&sp=rl&sig=0000000000000000000000000000%2B%2F00%3D — Container SAS with read/list permissions
• &sv=2022-11-02&se=2025-12-31&sr=b&sp=r&sig=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef%3D — Blob SAS with read permission

Should not match

• ?sv=2021-06-08&ss=b — Partial SAS parameters without sig
• ?version=2021-06-08&type=blob — Non-SAS query parameters
• template example placeholder record identifier — Template/sample context should be excluded even when anchor words are present

Known false positives

• Azure Storage documentation with example SAS tokens. Mitigation: Check for common placeholder values and documentation context.
• Expired SAS tokens that no longer grant access. Mitigation: Check se= (expiry) parameter to determine if the token is still valid, but flag regardless.

References

• Azure SAS entity definition - Microsoft Learn