SOLVED

Is it possible to list Azure Storage Account account key access attempts?

%3CLINGO-SUB%20id%3D%22lingo-sub-1092363%22%20slang%3D%22en-US%22%3EIs%20it%20possible%20to%20list%20Azure%20Storage%20Account%20account%20key%20access%20attempts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1092363%22%20slang%3D%22en-US%22%3E%3CP%3EWhile%20I%20can%20access%20the%20Activity%20log%20for%20our%20storage%20account%20and%20see%20my%20activity%20on%20the%20Azure%20web%20console%2C%20I'd%20like%20to%20be%20able%20to%20report%20on%20at%20least%20failed%20and%20ideally%20also%20successful%20attempts%20to%20connect%20to%20the%20storage%20account%20using%20the%20account%20key.%20It%20looks%20like%20it%20is%20possible%20to%20obtain%20access%20logs%20when%20Azure%20Active%20Directory%20is%20used%2C%20but%20I'm%20not%20finding%20something%20similar%20for%20key-based%20access%2C%20is%20this%20possible%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1092363%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20%26amp%3B%20Compliance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1093367%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20list%20Azure%20Storage%20Account%20account%20key%20access%20attempts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1093367%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F507852%22%20target%3D%22_blank%22%3E%40mbenic%3C%2FA%3E!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20monitor%20all%20(un)successful%20access%20to%20your%20Storage%20Account%20with%20Storage%20Analytics%20logging.%20See%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Fcommon%2Fstorage-analytics-logging%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eofficial%20documentation%3C%2FA%3E%20and%20a%20very%20good%20series%20of%20blog%20posts%20(by%20azsec)%20about%20monitoring%20Azure%20Storage%20(%3CA%20href%3D%22https%3A%2F%2Fazsec.azurewebsites.net%2F2019%2F12%2F09%2Fsecurity-monitoring-and-detection-tips-for-your-storage-account-part-1%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E1%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fazsec.azurewebsites.net%2F2019%2F12%2F09%2Fsecurity-monitoring-and-detection-tips-for-your-storage-account-part-2%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E2%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fazsec.azurewebsites.net%2F2019%2F12%2F20%2Fsecurity-monitoring-and-detection-tips-for-your-storage-account-part-3%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E3%3C%2FA%3E%20%26amp%3B%20%3CA%20href%3D%22https%3A%2F%2Fazsec.azurewebsites.net%2F2019%2F12%2F31%2Fsecurity-monitoring-and-detection-tips-for-your-storage-account-part-4%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E4%3C%2FA%3E).%20Hope%20this%20helped!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1094557%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20list%20Azure%20Storage%20Account%20account%20key%20access%20attempts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1094557%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F453722%22%20target%3D%22_blank%22%3E%40hspinto%3C%2FA%3E%26nbsp%3Bthanks.%20I%20see%20this%20is%20already%20enabled%20on%20my%20storage%20account%2C%20but%20the%20%24logs%20container%20is%20empty.%20I%20noticed%20this%20the%20documentation%20you%20linked%20under%20a%20list%20of%20authentication%20requests%20that%20will%20be%20logged%3A%3C%2FP%3E%3CP%3E%22%3CSPAN%3ERequests%20using%20a%20Shared%20Access%20Signature%20(SAS)%20or%20OAuth%2C%20including%20failed%20and%20successful%20requests%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EDoes%20this%20imply%20that%20requests%20using%20a%20connection%20string%20with%20an%20Account%20Key%20will%20not%20be%20logged%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1095333%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20list%20Azure%20Storage%20Account%20account%20key%20access%20attempts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1095333%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F507852%22%20target%3D%22_blank%22%3E%40mbenic%3C%2FA%3E%2C%20all%20requests%2C%20including%20Storage%20Account%20key-based%20ones%2C%20are%20logged%20in%20Storage%20Analytics.%20Storage%20Account-key%20requests%20are%20logged%20with%20%22authenticated%22%20as%20%22authentication_type%22.%20If%20you%20don't%20see%20anything%20in%20the%20%24logs%20container%20maybe%20your%20Storage%20Account%20is%20not%20being%20accessed%20or%20you%20have%20a%20short%20retention%20period%20or%20you%20haven't%20correctly%20configured%20logging%2C%20which%20should%20have%20all%20%22Logging%22%20checkboxes%20enabled.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F164136i3B7120478DA5700A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1095988%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20list%20Azure%20Storage%20Account%20account%20key%20access%20attempts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1095988%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F453722%22%20target%3D%22_blank%22%3E%40hspinto%3C%2FA%3E.%20I'm%20not%20sure%20what%20changed%2C%20since%20hourly%20logs%20were%20already%20enabled%2C%20but%20I'm%20now%20seeing%20records%20in%20%24logs.%20And%20in%20Metrics%20I%20can%20filter%20by%20%22Authentication%3DAccountKey%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

While I can access the Activity log for our storage account and see my activity on the Azure web console, I'd like to be able to report on at least failed and ideally also successful attempts to connect to the storage account using the account key. It looks like it is possible to obtain access logs when Azure Active Directory is used, but I'm not finding something similar for key-based access, is this possible?

4 Replies
Highlighted
Best Response confirmed by mbenic (New Contributor)
Solution

Hello, @mbenic!

 

You can monitor all (un)successful access to your Storage Account with Storage Analytics logging. See the official documentation and a very good series of blog posts (by azsec) about monitoring Azure Storage (1, 2, 3 & 4). Hope this helped!

Highlighted

@hspinto thanks. I see this is already enabled on my storage account, but the $logs container is empty. I noticed this the documentation you linked under a list of authentication requests that will be logged:

"Requests using a Shared Access Signature (SAS) or OAuth, including failed and successful requests"

 

Does this imply that requests using a connection string with an Account Key will not be logged?

Highlighted

@mbenic, all requests, including Storage Account key-based ones, are logged in Storage Analytics. Storage Account-key requests are logged with "authenticated" as "authentication_type". If you don't see anything in the $logs container maybe your Storage Account is not being accessed or you have a short retention period or you haven't correctly configured logging, which should have all "Logging" checkboxes enabled.

 

clipboard_image_0.png

Highlighted

Thanks @hspinto. I'm not sure what changed, since hourly logs were already enabled, but I'm now seeing records in $logs. And in Metrics I can filter by "Authentication=AccountKey".