SOLVED

Unable to list all storage resources in Log Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-319351%22%20slang%3D%22en-US%22%3EUnable%20to%20list%20all%20storage%20resources%20in%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319351%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20all%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20be%20able%20to%20monitor%20all%20storage%20accounts%20key%20rotations%20using%20Log%20Analytics%2C%20not%20sure%20how%20to%20do%20this%20as%20it%20seems%20I%20am%20not%20able%20to%20get%20a%20list%20of%20all%20storage%20account%20using%20query%3F%20i%20can%20somewhat%20do%20this%20in%20PS%20using%20following%20script%2C%20but%20how%20can%20i%20get%20this%20information%20in%20Log%20analytics%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECode%3C%2FP%3E%3CP%3E%24storageAccounts%20%3D%20Get-AzureRmStorageAccount%3C%2FP%3E%3CP%3E%24timeStamp%20%3D%20Get-Date%20(Get-Date).AddDays(-2)%20-format%20FileDateTime%3C%2FP%3E%3CP%3Eforeach(%24storageAccount%20in%20%24storageAccounts)%7B%3C%2FP%3E%3CP%3E%24regenerateKeyEvents%20%3D%20Get-AzureRmLog%20-ResourceGroupName%20%24storageAccount.ResourceGroupName%20%60%3CBR%20%2F%3E%7C%20Where%7B%24_.OperationName.Value%20-eq%20%22Microsoft.Storage%2FstorageAccounts%2FregenerateKey%2Faction%22%7D%20%60%3CBR%20%2F%3E%7C%20Select-Object%20EventTimestamp%3CBR%20%2F%3E%3CBR%20%2F%3Eforeach(%24regenerateKeyEvent%20in%20%24regenerateKeyEvents)%7B%3C%2FP%3E%3CP%3Eif(%24timeStamp%20-gt%20(%24regenerateKeyEvent.EventTimestamp%20%7C%20Get-Date%20-Format%20FileDateTime))%7B%3C%2FP%3E%3CP%3EWrite-Host%20%22Keys%20to%20old%22%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%7D%7D%3C%2FP%3E%3CP%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-319351%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-320210%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20list%20all%20storage%20resources%20in%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-320210%22%20slang%3D%22en-US%22%3EThx%20i%20will%20Kusto%20query%20language%20%3Abeaming_face_with_smiling_eyes%3A%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-320170%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20list%20all%20storage%20resources%20in%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-320170%22%20slang%3D%22en-US%22%3E%3CP%3EExample%20would%20be%3C%2FP%3E%0A%3CPRE%3EAzureActivity%20%0A%7C%20extend%20Action%20%3D%20parse_json(Authorization)%0A%7C%20where%20Action.action%20%3D%3D%20%22%3CSPAN%3EMicrosoft.Storage%2FstorageAccounts%2FregenerateKey%2Faction%3C%2FSPAN%3E%22%20and%20ResourceGroup%20%3D~%20%22something%22%20and%20ActivityStatus%20!%3D%20%22Failed%22%20%0A%7C%20project%20EventSubmissionTimestamp%3C%2FPRE%3E%0A%3CP%3EI%20will%20suggest%20however%20to%20look%20at%20Kusto%20language%20documentation%20and%20Azure%20Log%20Analytics%20alerts%20documentation%20to%20transform%20the%20example%20to%20a%20query%20that%20would%20be%20suitable%20for%20the%20alert%20that%20you%20want%20to%20ahcieve.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-320139%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20list%20all%20storage%20resources%20in%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-320139%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20would%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EGet-AzureRmLog%20-ResourceGroupName%20%24storageAccount.ResourceGroupName%20%60%20%7C%20Where%7B%24_.OperationName.Value%20-eq%20%22Microsoft.Storage%2FstorageAccounts%2FregenerateKey%2Faction%22%7D%20%60%20%7C%20Select-Object%20EventTimestamp%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Elook%20like%26nbsp%3B%20in%20Kusto%20query%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-319928%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20list%20all%20storage%20resources%20in%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319928%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EAzure%20Activity%20Logs%20can%20be%20send%20to%20Log%20Analytics.%20More%20info%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fcollect-activity-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fcollect-activity-logs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EAfter%20they%20are%20send%20there%20you%20can%20create%20Log%20Analytics%20query%20that%20you%20can%20use%20to%20alert%20on%20the%20Azure%20Activity%20Logs.%20Basically%20doing%20the%20same%20thing%20you%20are%20doing%20with%3C%2FP%3E%0A%3CPRE%3EGet-AzureRmLog%20-ResourceGroupName%20%24storageAccount.ResourceGroupName%20%60%0A%7C%20Where%7B%24_.OperationName.Value%20-eq%20%22Microsoft.Storage%2FstorageAccounts%2FregenerateKey%2Faction%22%7D%20%60%0A%7C%20Select-Object%20EventTimestamp%3C%2FPRE%3E%0A%3CP%3Ebut%20with%20Kusto%20query%20language%20that%20Log%20Analytics%20uses.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hey all, 

 

I want to be able to monitor all storage accounts key rotations using Log Analytics, not sure how to do this as it seems I am not able to get a list of all storage account using query? i can somewhat do this in PS using following script, but how can i get this information in Log analytics?

 

Code

$storageAccounts = Get-AzureRmStorageAccount

$timeStamp = Get-Date (Get-Date).AddDays(-2) -format FileDateTime

foreach($storageAccount in $storageAccounts){

$regenerateKeyEvents = Get-AzureRmLog -ResourceGroupName $storageAccount.ResourceGroupName `
| Where{$_.OperationName.Value -eq "Microsoft.Storage/storageAccounts/regenerateKey/action"} `
| Select-Object EventTimestamp

foreach($regenerateKeyEvent in $regenerateKeyEvents){

if($timeStamp -gt ($regenerateKeyEvent.EventTimestamp | Get-Date -Format FileDateTime)){

Write-Host "Keys to old"


}

}

}

 

4 Replies
Best Response confirmed by Stanislav Zhelyazkov (MVP)
Solution

Hi,

Azure Activity Logs can be send to Log Analytics. More info here:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-activity-logs

After they are send there you can create Log Analytics query that you can use to alert on the Azure Activity Logs. Basically doing the same thing you are doing with

Get-AzureRmLog -ResourceGroupName $storageAccount.ResourceGroupName `
| Where{$_.OperationName.Value -eq "Microsoft.Storage/storageAccounts/regenerateKey/action"} `
| Select-Object EventTimestamp

but with Kusto query language that Log Analytics uses.

How would 

 

Get-AzureRmLog -ResourceGroupName $storageAccount.ResourceGroupName ` | Where{$_.OperationName.Value -eq "Microsoft.Storage/storageAccounts/regenerateKey/action"} ` | Select-Object EventTimestamp

 

look like  in Kusto query

Example would be

AzureActivity 
| extend Action = parse_json(Authorization)
| where Action.action == "Microsoft.Storage/storageAccounts/regenerateKey/action" and ResourceGroup =~ "something" and ActivityStatus != "Failed" 
| project EventSubmissionTimestamp

I will suggest however to look at Kusto language documentation and Azure Log Analytics alerts documentation to transform the example to a query that would be suitable for the alert that you want to ahcieve.

Thx i will Kusto query language :beaming_face_with_smiling_eyes: