Sentinel to Detect Storage Account Created

Question

Hi Everyone,&nbsp;When trying to generate query to show storage account when they are created, I'm having bad luck of not been able to see it in Sentinel. The KQL query I have is:&nbsp;AzureActivity| where ResourceProviderValue == "MICROSOFT.STORAGE"| where OperationNameValue == "Microsoft.Storage/storageAccounts/write"&nbsp;When the query is running, it generate no output. Even if take away "| where OperationNameValue == "Microsoft.Storage/storageAccounts/write"", I can see the storage account but not specifically when I spun up a test storage account to detect it.&nbsp;&nbsp;I'll appericate if anyone can help me get this query to work.&nbsp;&nbsp;Side note: I have Azure Monitor Alert enable and I get email but I want those alerts to be shown in Sentinel as an incident.&nbsp;

kidd_ip · Answer

How about this:
&nbsp;
AzureActivity
| where ResourceProviderValue == "Microsoft.Storage"
| where OperationNameValue has "write"
| where ActivityStatusValue == "Succeeded"
| where Properties has "storageAccounts"
| project TimeGenerated, ResourceGroup, Resource, Caller, OperationNameValue, ActivityStatusValue
&nbsp;

cybersal82 · Answer

Thanks for reading my post. I'll definitely test it and I'll let you know.&nbsp;

Forum Discussion

Sentinel to Detect Storage Account Created

2 Replies

Resources