This detection rule identifies successful GetBlob operations on Azure Storage Accounts specifically utilizing the AzCopy user agent with SAS token authentication. AzCopy is a command-line tool that enables efficient data transfer to and from Azure Storage. While it serves a legitimate purpose, attackers can exploit this tool by using compromised SAS tokens to export sensitive data from Azure Storage Accounts. The rule primarily captures the first instance of GetBlob requests with this pattern, highlighting the risk of data exfiltration. To investigate potential unauthorized data access, analysts should assess field values related to account identification, object retrieval, source address anomalies, SAS token parameters, and data volume transferred. False positives can arise from legitimate operations by DevOps or IT personnel which must be evaluated carefully to refine the detection without impacting legitimate activities. Recommended actions upon detection include examining for any unauthorized access activities, revoking compromised tokens, auditing related account activities, and enhancing monitoring strategies.