You want to know who accessed/accessing your storage account. There can be a scenario someone created, deleted, or modified some blobs/containers within your storage account. The blog talks about how you can leverage storage logs, that will help you troubleshoot such scenarios.
An important source of information for troubleshooting such scenarios are the Storage Analytics logs as it keep tracks of data plane operations happening over the storage account. There is a billing associated to this logging a well.
In case storage analytics is enabled, you can leverage below options based on the logging format:
Let us take a look at some more details and the steps you can follow ahead:
NOTE : If the logging isn’t enabled then you won’t be able to backtrack much. You can also consider the above step as a prerequisite for analysis too.
Log Version – It provides the log level version i.e. either 1.0 or 2.0.
Transaction Start Time : Time when the transaction was initiated.
REST Operation Type : Type of operation that was performed such Read, List, Delete etc.
Authentication Type : This tells us about the authentication mechanism such as SAS, OAuth etc.
Request URL : The request URL for the operation and can provide idea regarding the filename.
Request ID : This is the Storage Request ID.
Client IP: This provide information regarding the IP that was hitting the storage.
User Agent : This provide us user agent details of the client application e.g. Storage explorer in above example.
User Object ID: This field is empty in the first snippet because the authentication happed via SAS whereas in the second one you get to the the User Object ID and principal name as well. You can track the User Object ID in Azure AD via portal ahead as well whether it’s belongs to single user, group or Service Principal
More Information, please follow below link
Hope this helps!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.