Skip to content

Microsoft.Compute/snapshots/beginGetAccess/action

Azure

Microsoft.Compute/snapshots/beginGetAccess/action

service: Azure - Compute
techniques:

Event

Generates a time-limited SAS URL to access or download the data from an Azure VM disk snapshot.

Security Context

  • Accessing cloud storage objects can expose sensitive data including backups, configuration files, application data, and customer information.
  • Transferring data to external cloud accounts or regions can bypass network-based data loss prevention controls and exfiltrate large volumes of data.

Log Source

Azure Activity Log

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud calls beginGetAccess on a previously-created snapshot of the production data disk (snapshot name snap-occamy-data-666, created in a prior Microsoft.Compute/snapshots/write event not in this batch). Azure mints a SAS URL pointing at the snapshot blob; Draco downloads the raw snapshot VHD offline. The CopyBlob event later in this batch represents the actual transfer.

{
"authorization": {
"action": "Microsoft.Compute/snapshots/beginGetAccess/action",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/snapshots/snap-occamy-data-666"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/",
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud"
},
"correlationId": "90000000-0000-4000-8000-000010100000",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000010100001",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T19:32:08.5172938Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/snapshots/snap-occamy-data-666/events/90000000-0000-4000-8000-000010100001/ticks/638798175285172938",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000010100010",
"operationName": {
"value": "Microsoft.Compute/snapshots/beginGetAccess/action",
"localizedValue": "Get Snapshot SAS URI"
},
"resourceGroupName": "rg-fantasticlogs-prod",
"resourceProviderName": {
"value": "Microsoft.Compute",
"localizedValue": "Microsoft.Compute"
},
"resourceType": {
"value": "Microsoft.Compute/snapshots",
"localizedValue": "Microsoft.Compute/snapshots"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/snapshots/snap-occamy-data-666",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "Accepted",
"localizedValue": "Accepted (HTTP Status Code: 202)"
},
"submissionTimestamp": "2026-04-15T19:32:09.0218739Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "Accepted",
"serviceRequestId": null,
"requestbody": "{\"access\":\"Read\",\"durationInSeconds\":3600}",
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/snapshots/snap-occamy-data-666",
"message": "Microsoft.Compute/snapshots/beginGetAccess/action",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": [],
"httpRequest": {
"clientRequestId": "90000000-0000-4000-8000-000010100011",
"clientIpAddress": "203.0.113.66",
"method": "POST",
"url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/snapshots/snap-occamy-data-666/beginGetAccess?api-version=2023-10-02"
},
"identity": null
}

MITRE ATT&CK Mapping

Tactics: Collection Exfiltration

Techniques:
  • T1530 — Data from Cloud Storage — Adversaries may access data from cloud storage.
  • T1537 — Transfer Data to Cloud Account — Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.