Azure Storage Analytics & Diagnostic Logs

m365-azureData Access & StorageCloud Admin PortalSIEM / Log Aggregator

Location

Azure Portal > Storage Account > Diagnostic settings (or $logs container for classic analytics)

Description

Storage account access logs recording every read, write, delete, and list operation on blobs, files, tables, and queues with authenticated identity, source IP, request URL, and response status.

Forensic Value

Storage analytics logs prove exactly which blobs and files were accessed or exfiltrated during a breach. Each log entry includes the authenticated caller identity, client IP address, and the specific object URL accessed. Bulk GetBlob operations indicate mass data download. ListBlob operations reveal reconnaissance of storage contents. Comparing access patterns against normal baseline identifies anomalous data access. These logs are critical for quantifying data exposure in breach notification.

Tools Required

Azure PortalLog Analytics (KQL)Azure CLI (az storage logging)Azure Storage Explorer

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical