The Azure Storage SAS Token Access from External IP rule is designed to identify potentially malicious access to Azure storage accounts using Shared Access Signatures (SAS) from external, public IP addresses. This rule parses the SAS signature parameters from storage URIs to flag unauthorized access attempts. Notably, the rule aims to detect incidents similar to those associated with the Storm-0501 threat actor, which has been observed using stolen SAS tokens from external command and control (C2) infrastructure for data exfiltration. The detection mechanism replicates the logic of the existing Defender for Cloud alert 'Storage.Blob_AccountSas.InternalSasUsedExternally'. The rule's operational workflow includes querying Azure Monitor Activity logs, reviewing historical access patterns to establish expected behavior, and checking for potential account compromises. Comprehensive runbook guidance is provided to assess access attempts details, enabling cybersecurity teams to investigate incidents effectively.