Azure Storage Account Shared Access Signature for High Risk Resources

Detects Azure Storage Account Shared Access Signature (SAS) patterns for high-risk resources with write or delete permissions. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.

Type: regex
Engine: universal
Confidence: high
Confidence justification: High confidence: core.windows.net storage domain combined with write/delete permissions and sig parameter uniquely identifies high-risk Azure Storage SAS tokens. Added context gating and exclusion rules improve precision and reduce incidental matches.
Detection quality: Not detected
Jurisdictions: global
Regulations: Criminal Code Act 1995 (Cth)
Frameworks: CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
Data categories: credentials, security
Scope: specific
Risk rating: 10
Platform compatibility: Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported

Pattern

(?i)https?://[^/]*\.(?:blob|queue|table|file)\.core\.windows\.net[^"'\s]*[?&]sp=[rwdlac]*[wdc][rwdlac]*[^"'\s]*[?&]sig=[A-Za-z0-9%+/=]+

Corroborative evidence keywords

Azure Storage, SAS, shared access signature, write permission, delete permission, blob, storage account, core.windows.net, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie (+45 more)

Proximity: 300 characters

Should match

https://myaccount.blob.core.windows.net/container?sv=2021-06-08&sp=rwdl&sig=AAAA0000%3D — Blob SAS with read/write/delete/list permissions
https://myaccount.blob.core.windows.net/container?sv=2020-08-04&sp=wc&sig=000000%3D — Blob SAS with write/create permissions
https://myaccount.table.core.windows.net/table?sv=2022-11-02&sp=rwd&sig=ABCDEFghij%3D — Table SAS with write and delete permissions

Should not match

https://myaccount.blob.core.windows.net/container?sv=2021-06-08&sp=rl&sig=AAAA%3D — Read-only SAS (not high risk)
https://myaccount.blob.core.windows.net/container — Storage URL without SAS token
template example placeholder record identifier — Template/sample context should be excluded even when anchor words are present

Known false positives

Azure Storage documentation with example write-permission SAS URLs. Mitigation: Check for common placeholder values and documentation context.
CI/CD pipeline artifacts containing build-time SAS tokens. Mitigation: Check se= (expiry) parameter and verify the token scope.

References

Azure Storage account shared access signature for high risk resources entity definition - Microsoft Learn