This rule is designed to detect instances of unusually high-privileged user access to Azure Storage Account keys, focusing on individuals with roles such as Owner, Contributor, or Storage Account Contributor. The need for such detection arose from identified tactics used in STORM-0501 ransomware campaigns, where compromised user identities exploited these high-level roles to access sensitive storage resources, potentially for malicious purposes. The rule monitors for first-time accesses to storage keys by these privileged roles within a 7-day window, and it leverages Azure Activity Logs as its data source. Microsoft recommends minimizing risks by using Shared Access Signatures (SAS) for finer-grained access controls, reducing the reliance on storage account keys. The detection includes recommendations for investigating access patterns, validating roles, and initiating responses, making it a critical component for ensuring secure Azure resource management.