Azure Storage Account Shared Access Signature

Detects Azure Storage Account Shared Access Signature (SAS) patterns for standard resources. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.

Type: regex
Engine: universal
Confidence: high
Confidence justification: High confidence: core.windows.net storage domain combined with sig parameter is structurally unique to Azure Storage SAS. Added context gating and exclusion rules improve precision and reduce incidental matches.
Detection quality: Not detected
Jurisdictions: global
Regulations: Criminal Code Act 1995 (Cth)
Frameworks: CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
Data categories: credentials, security
Scope: specific
Risk rating: 10
Platform compatibility: Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported

Pattern

(?i)https?://[^/]*\.(?:blob|queue|table|file)\.core\.windows\.net[^"'\s]*[?&]sig=[A-Za-z0-9%+/=]+

Corroborative evidence keywords

Azure Storage, SAS, shared access signature, blob, storage account, core.windows.net, container, sig, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie (+45 more)

Proximity: 300 characters

Should match

https://myaccount.blob.core.windows.net/container/blob.txt?sv=2021-06-08&sig=AAAA0000%3D — Blob Storage SAS URL
https://myaccount.table.core.windows.net/mytable?sv=2020-08-04&sig=000000%3D — Table Storage SAS URL
https://myaccount.file.core.windows.net/share/file.dat?sv=2022-11-02&sig=ABCDEFghij%3D — File Storage SAS URL

Should not match

https://myaccount.blob.core.windows.net/container/blob.txt — Storage URL without SAS token
https://myapp.azurewebsites.net?sig=test — Non-storage URL with sig parameter
template example placeholder record identifier — Template/sample context should be excluded even when anchor words are present

Known false positives

Azure Storage documentation with example SAS URLs. Mitigation: Check for common placeholder values and documentation context.
Expired SAS tokens in logs or audit trails. Mitigation: Flag for review regardless since the URL reveals storage account structure.

References

Azure Storage account shared access signature entity definition - Microsoft Learn