Azure Storage Account Key (Generic)

Detects generic Azure Storage account key patterns including keys assigned to variables or configuration properties. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.

Type

regex

Engine

universal

Confidence

medium

Confidence justification

Medium confidence: matches storage key assignments but the Base64 pattern can overlap with other encoded data. Context keywords improve accuracy. Added context gating and exclusion rules improve precision and reduce incidental matches.

Detection quality

Partial

Jurisdictions

global

Regulations

Criminal Code Act 1995 (Cth)

Frameworks

CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2

Data categories

credentials, security

Scope

specific

Risk rating

10

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported

Pattern

(?i)(?:storage[._-]?key|account[._-]?key|storage[._-]?account[._-]?key)\s*[:=]\s*"?[A-Za-z0-9+/\s]{43,92}={0,2}"?

Corroborative evidence keywords

storage account, storage key, account key, Azure Storage, blob storage, core.windows.net, access key, container, api key, api_key, apikey, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential (+44 more)

Proximity: 300 characters

Should match

• storage_key=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== — Storage key in assignment (88 chars)
• account_key: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUV==" — Account key in YAML format
• storage_account_key="000000000000000000000000000000000000000000000=" — Storage account key with placeholder value

Should not match

• storage_key="" — Empty key value
• storage_key=tooshort — Value too short to be a storage key
• template example placeholder record identifier — Template/sample context should be excluded even when anchor words are present

Known false positives

• Configuration templates with placeholder storage key values. Mitigation: Check for common placeholder patterns and template indicators.
• Non-Azure storage service keys that use similar naming. Mitigation: Require proximity to Azure-specific keywords for differentiation.

References

• Azure Storage account key (generic) entity definition - Microsoft Learn