Azure Storage Analytics & Diagnostic Logs

Cloud & SaaSData Access & StorageCloud Control PlaneSIEM / Log Aggregator

Location

Azure Portal > Storage Account > Diagnostic settings (or $logs container for classic analytics)

Description

Storage account access logs recording every read, write, delete, and list operation on blobs, files, tables, and queues with authenticated identity, source IP, request URL, and response status.

Forensic Value

Storage analytics logs prove exactly which blobs and files were accessed or exfiltrated during a breach. Each log entry includes the authenticated caller identity, client IP address, and the specific object URL accessed. Bulk GetBlob operations indicate mass data download. ListBlob operations reveal reconnaissance of storage contents. Comparing access patterns against normal baseline identifies anomalous data access. These logs are critical for quantifying data exposure in breach notification.

Tools Required

Azure PortalLog Analytics (KQL)Azure CLI (az storage logging)Azure Storage Explorer

Collection Commands

KQL

StorageBlobLogs | where TimeGenerated > ago(30d) | where OperationName == "GetBlob" | summarize DownloadCount=count(), TotalBytes=sum(ResponseBodySize) by CallerIpAddress, AccountName | sort by TotalBytes desc

az CLI

az storage logging show --account-name <storage-account> --services b --output json > storage_logging_config.json

az CLI

az storage blob list --account-name <storage-account> --container-name \$logs --output json > storage_analytics_logs.json

MITRE ATT&CK Techniques

T1530T1537T1567T1078.004T1580

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical