This detection rule is designed to identify when Azure Storage Account access keys are listed or retrieved, which can have serious security implications. Access keys provide complete control over the storage account, allowing an adversary to manage blob containers, file shares, queues, and tables without legitimate permission. The detection focuses on monitoring Azure Monitor Activity logs specifically for operations related to listing keys. Key listing might signal a potential compromise or preparation for data exfiltration. The rule outlines specific steps to investigate any key listing activity, including checking for unusual role assignments or privileges for the requesting identity, as well as subsequent actions that may indicate data exfiltration, such as the generation of Shared Access Signature (SAS) tokens or changes in access settings. The rule is marked as experimental and has a medium severity level, indicating that while it is not yet finalized, it captures important security threats related to cloud storage access.