The rule detects anonymous authentication attempts to Azure Storage accounts by analyzing Storage Analytics logs, which provide detailed visibility into access events. The detection logic leverages Splunk to filter for identity types categorized as 'Anonymous'. It first retrieves data related to cloud activity, specifically focusing on storage authentication events. Using regular expression processing (`rex`), it normalizes the source IP address by removing port numbers, facilitating aggregation of access attempts from the same IP across time. The data is then organized into a table, including various relevant fields such as account details, user identity, event descriptions, and permissions. The results are aggregated over a 60-second time bin to identify patterns of access, indicating potential unauthorized activity or misconfigurations within the Azure storage setup. The rule aligns with MITRE ATT&CK technique T1530 for cloud storage data collection, indicating it targets the vulnerabilities associated with anonymous access to critical cloud storage resources.