Azure Resource Diagnostic Logs

m365-azureCloud InfrastructureCloud Admin PortalSIEM / Log Aggregator

Location

Azure Portal > Resource > Diagnostic settings > Log Analytics workspace

Description

Data-plane logs for individual Azure resources (Key Vault access, Storage Blob read/write, SQL audit, App Service HTTP logs) when diagnostic settings are configured to route to Log Analytics, Storage, or Event Hub.

Forensic Value

Resource logs provide data-plane visibility that Activity Logs lack. Key Vault access logs reveal which secrets, keys, and certificates were read or modified during a breach. Storage account logs show exact blob names accessed and by which identity. These logs are critical for understanding what data the attacker actually accessed versus what they merely had permissions to access.

Tools Required

Azure PortalLog Analytics (KQL)Azure CLIPowerShell (Az module)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical