Reputation: 127
Log Analytics questo query to find who created and delete my conatiner and blob
I have a storage account and i have enabled read write logs in blob level to send blob logs to log analytics but when i am running this query
StorageBlobLogs where OperationName =~ "CreateContainer" and AccountName =~ 'tester1234567'
I am able to get the logs bt not able to find who created it. Also it would be helpful if i could get query on how to find who created and deleted blob/conatiner.
Upvotes: -1
Views: 3518
Answers (1)
Reputation: 99
In order to obtain the user that created the container go to the storage and click activity log. Click on the option Export Activity Logs > Add Diagnostic Setting, choose the log categories you want to send to log analytics and select your log analytics workspace.
Go back to the storage account and create a new container (you may have to wait a long time 20 minutes or more for the logs to start collecting before doing this).
Navigate to log analytics and use the query bellow:
AzureActivity
| where ResourceProviderValue == "MICROSOFT.STORAGE" and OperationNameValue == "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE"
| where parse_json(Properties_d).statusCode == "Created"
| project parse_json(Properties_d).resource, parse_json(Properties_d).statusCode, parse_json(Properties_d).activityStatusValue, parse_json(Properties_d).httpRequest, parse_json(Properties_d).caller
It should show something like this:
For deletion you can use this query:
AzureActivity
| where ResourceProviderValue == "MICROSOFT.STORAGE" and OperationNameValue == "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/DELETE"
| where parse_json(Properties_d).activityStatusValue == "Success"
| project parse_json(Properties_d).resource, parse_json(Properties_d).statusCode, parse_json(Properties_d).activityStatusValue, parse_json(Properties_d).httpRequest, parse_json(Properties_d).caller
In order to check who deleted a blob the user that is updating/deleting the blob must be using an active directory identity (user or service principal). Using a sas key will not display the username in the logs.
If the authentication used is Active Directory then you should be able to find the objectId of the principal. Using this query:
StorageBlobLogs
| where OperationName == "DeleteBlob" and StatusCode == 202
| project TimeGenerated, AccountName,AuthenticationType,AuthenticationHash,parse_json(parse_json(AuthorizationDetails)[0].principals)[0].id
We can see the objectId and the authentication type is Oauth. The first 2 examples are SAS key authentication and we can only see what key is being used.
Upvotes: 1
Related Questions
- Azure Storage Explorer - Filtering on Last Modified
- How can I delete a lease Container with a audit log in Azure?
- How to view deleted files of Azure Storage Lifecycle management?
- How to view Blob Storage logs in Azure App Insights?
- Tail Azure Blob Container log with Powershell
- How to monitor read write activities on Azure Blob Storage
- Detailed logging in azure storage account?
- Azure Blob Container Logging
- Azure Storage services logs
- azure blob storage logging / analytics gui tool?