Azure Defender: Unusual unauthenticated access to your storage account

Had a brief head scratching moment today with an Azure Defender alert.

A production storage account with a $web container that's apparently been accessed anonymously without SAS token or other authentication. Initially not an ideal situation with a prod resource....

The alert in Azure Defender

Checking public access level

First port of call is to check the public access level for the container. In this case, I was presented with access level "Private" for this container.

This will confuse analysts as it did me....

What is the $web container?

In a storage account you can store a static website, which can be enabled via "Static website" under "Data Management". As soon as you enable this the "$web" container is created which is used to host your web files. See below.

Understanding $web container access level

"You can modify the public access level of the $web container, but this has no impact on the primary static website endpoint because these files are served through anonymous access requests. That means public (read-only) access to all files."

Disabling public access on a storage account does not affect static websites that are hosted in that storage account.

The key to the question is here:

Static website hosting in Azure Storage
Azure Storage static website hosting, providing a cost-effective, scalable solution for hosting modern web applications.

Essentially, if you "Disable public access to blobs" in a storage account it will not apply to a $web container, as it is assumed that web request (anonymous) activity will occur seeing as you/they are hosting a static website.

I hope that clears things up

Have a good day!

More about Azure Defender here:

Azure Defender | Microsoft Azure
Protect your hybrid cloud workloads with Azure Defender – helping you streamline security with AI and automation.

Update 09/11/2021

Had an email from Microsoft - they've had issues their side for a week due to a patch for storage containers which has seen been reversed. This also may have caused these alerts to flag.