Microsoft.Compute/disks/beginGetAccess/action
Azure
Microsoft.Compute/disks/beginGetAccess/action
Event
Generates a time-limited SAS URL to access or download the data of an Azure managed disk.
Security Context
- Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
- Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.
Log Source
Azure Activity Log
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud calls beginGetAccess on the production OS disk vm-demiguise-infer-001-osdisk with access: "Read" and durationInSeconds: 3600. Azure mints a temporary SAS URL pointing at the disk’s underlying blob in a Microsoft-managed storage account; Draco downloads the raw VHD outside Azure for offline credential extraction. Maps to T1530 (Cloud Storage Object) + T1537 (Transfer Data to Cloud Account).
{ "authorization": { "action": "Microsoft.Compute/disks/beginGetAccess/action", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/disks/vm-demiguise-infer-001-osdisk" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/", "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud" }, "correlationId": "90000000-0000-4000-8000-000010011100", "description": "", "eventDataId": "90000000-0000-4000-8000-000010011101", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T21:42:18.7382194Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/disks/vm-demiguise-infer-001-osdisk/events/90000000-0000-4000-8000-000010011101/ticks/638798247387382194", "level": "Informational", "operationId": "90000000-0000-4000-8000-000010011110", "operationName": { "value": "Microsoft.Compute/disks/beginGetAccess/action", "localizedValue": "Get Disk SAS URI" }, "resourceGroupName": "rg-fantasticlogs-prod", "resourceProviderName": { "value": "Microsoft.Compute", "localizedValue": "Microsoft.Compute" }, "resourceType": { "value": "Microsoft.Compute/disks", "localizedValue": "Microsoft.Compute/disks" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/disks/vm-demiguise-infer-001-osdisk", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "Accepted", "localizedValue": "Accepted (HTTP Status Code: 202)" }, "submissionTimestamp": "2026-04-15T21:42:19.0184217Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "Accepted", "serviceRequestId": null, "requestbody": "{\"access\":\"Read\",\"durationInSeconds\":3600,\"getSecureVMGuestStateSAS\":false}", "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/disks/vm-demiguise-infer-001-osdisk", "message": "Microsoft.Compute/disks/beginGetAccess/action", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001" }, "relatedEvents": [], "httpRequest": { "clientRequestId": "90000000-0000-4000-8000-000010011111", "clientIpAddress": "203.0.113.66", "method": "POST", "url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/disks/vm-demiguise-infer-001-osdisk/beginGetAccess?api-version=2023-10-02" }, "identity": null}MITRE ATT&CK Mapping
Tactics: Collection Exfiltration
Techniques:
- T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.
- T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.