Forum Discussion

mbenic's avatar
mbenic
Copper Contributor
Jan 06, 2020
Solved

Is it possible to list Azure Storage Account account key access attempts?

While I can access the Activity log for our storage account and see my activity on the Azure web console, I'd like to be able to report on at least failed and ideally also successful attempts to conn...
azure
Security & Compliance
  • hspinto's avatar
    hspinto
    Jan 06, 2020

    Hello, mbenic!

     

    You can monitor all (un)successful access to your Storage Account with Storage Analytics logging. See the official documentation and a very good series of blog posts (by azsec) about monitoring Azure Storage (1, 2, 3 & 4). Hope this helped!

hspinto's avatar
hspinto
Icon for Microsoft rankMicrosoft
Jan 06, 2020

Hello, mbenic!

 

You can monitor all (un)successful access to your Storage Account with Storage Analytics logging. See the official documentation and a very good series of blog posts (by azsec) about monitoring Azure Storage (1, 2, 3 & 4). Hope this helped!

  • mbenic's avatar
    mbenic
    Copper Contributor
    Jan 07, 2020

    hspinto thanks. I see this is already enabled on my storage account, but the $logs container is empty. I noticed this the documentation you linked under a list of authentication requests that will be logged:

    "Requests using a Shared Access Signature (SAS) or OAuth, including failed and successful requests"

     

    Does this imply that requests using a connection string with an Account Key will not be logged?

    • hspinto's avatar
      hspinto
      Icon for Microsoft rankMicrosoft
      Jan 07, 2020

      mbenic, all requests, including Storage Account key-based ones, are logged in Storage Analytics. Storage Account-key requests are logged with "authenticated" as "authentication_type". If you don't see anything in the $logs container maybe your Storage Account is not being accessed or you have a short retention period or you haven't correctly configured logging, which should have all "Logging" checkboxes enabled.

       

      • mbenic's avatar
        mbenic
        Copper Contributor
        Jan 08, 2020

        Thanks hspinto. I'm not sure what changed, since hourly logs were already enabled, but I'm now seeing records in $logs. And in Metrics I can filter by "Authentication=AccountKey".

Resources