Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,339 questions
what are the exact log analytics tables to query for azure storage firewall logs. Cannot find it in the documentation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 28.000000000000004%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ1%3C/text%3E%3C/svg%3E)
Julio-14
25
Reputation points
Hi,
I'm trying to have an alert that triggers when there is a change in the Azure Storage Account Firewall, particularly when there is a CIDR range change, I'd like to know which table what Kusto query I should use, I have tried AzureDiagnostics with no luck, also I have enabled Diagnostics for the Azure Storage Account but no luck neither
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 6%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKD%3C/text%3E%3C/svg%3E)
Keshavulu Dasari 3,095 Reputation points Microsoft Vendor2025-01-20T22:25:08.0133333+00:00 Greetings & Welcome to Microsoft Q&A forum! Thanks for posting your query!
To set up an alert for changes in the Azure Storage Account Firewall, particularly for CIDR range changes, you can use Azure Monitor and KQL.
Ensure that diagnostic logging is enabled for your Azure Storage Account. This will capture the necessary logs for monitoring changes, If you haven't already, create a Log Analytics workspace where the diagnostic logs will be sent.
In the Azure portal, go to your Storage Account, select Diagnostic settings, and add a diagnostic setting to send logs to your Log Analytics workspace, Use the following Kusto query to detect changes in the firewall settings, including CIDR range changes:
AzureDiagnostics | where ResourceType == "STORAGEACCOUNTS" | where OperationName == "Microsoft.Storage/storageAccounts/write" | where Properties contains "firewall" | extend FirewallSettings = parse_json(Properties).properties.networkAcls | project TimeGenerated, ResourceGroup, ResourceName, FirewallSettingsThis query filters the logs for storage account updates and extracts the firewall settings.
Reference:
https://learn.microsoft.com/en-us/answers/questions/1275382/azure-firewall-logs-kusto-queryCreate an Alert Rule:
- Go to Azure Monitor in the Azure portal.
- Select Alerts > New alert rule.
- Define the scope by selecting your Log Analytics workspace.
- Set the condition using the above Kusto query.
- Configure the alert details, such as the alert rule name, severity, and action group.
This setup will trigger an alert whenever there is a change in the firewall settings of your Azure Storage Account, including CIDR range changes
Additional Reading: -
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/kql-quick-referenceHope this helps. Do let us know if you have any further queries.
-
Julio-14 25 Reputation points
2025-01-20T23:16:28.62+00:00 Hi there,
When you're referring to set up in the storage account the diagnostic setting to send the logs to the Log Analytics workspace, I went into Storage Account -> Monitoring -> Diagnostic Setting and as you can see in the screen, does that Diagnostic setting looks correct? because I had already done that and then when trying the query, I'm seeing an error in the syntax, but bottom line I don't have any info retrieved when the ResourceType of STORAGEACCOUNTS, what else do I'm missing? thanks!
-
Julio-14 25 Reputation points
2025-01-20T23:23:56.8666667+00:00 Hi there,
When you're referring to set up in the storage account the diagnostic setting to send the logs to the Log Analytics workspace, I went into Storage Account -> Monitoring -> Diagnostic Setting and as you can see in the screen, does that Diagnostic setting looks correct? because I had already done that and then when trying the query, I'm seeing an error in the syntax, but bottom line I don't have any info retrieved when the ResourceType of STORAGEACCOUNTS, what else do I'm missing? -
Keshavulu Dasari 3,095 Reputation points Microsoft Vendor
2025-01-21T02:33:17.7866667+00:00 Hi Julio-14 ,
Ensure that you have selected the correct log categories in the diagnostic settings. For Azure Storage Accounts, you should enable logs for Read, Write, and Delete operations, verify that the logs are being sent to the correct Log Analytics workspace.
The logs are being ingested into the Log Analytics workspace. Sometimes, there might be a delay in log ingestion. Ensure that the storage account allows trusted Microsoft services to access it. This setting is crucial for diagnostic logs to be captured correctly.
Ensure that logs are being generated and sent to the Log Analytics workspace. Sometimes, there might be a delay in log data appearing in the workspace. You can verify this by checking the Logs section in the Azure Monitor.
Make sure that the necessary permissions and network rules are in place to allow Azure Monitor to access your storage account logs. If you are using private endpoints, ensure they are correctly configured.
If the issue persists, you might want to refer to the following resources for more detailed guidance:
If you continue to face issues, please let me know I would be happy to help you.
-
Julio-14 25 Reputation points
2025-01-22T00:07:20.46+00:00 Hi,
Under Log Analytics workspace I can see the corresponding Storage tables, and there are log records in those tables, also I have made sure the setting to allowing Azure services as a trusted service to access the storage account, still when trying suggested the Azure Diagnostics CIDR KQL query, no results retrieved. In the Azure Diagnostics I can see data coming from 2 different resource groups and the storage account is in one of those resource groups, but no luck for the storage account resource.
If someone has faced this issue, it would be awesome to have a particular pointer to what to change and even a screen shot would be better
Thanks!
-
Keshavulu Dasari 3,095 Reputation points Microsoft Vendor
2025-01-22T19:40:45.8366667+00:00 Hi Julio-14 ,
You are set up the diagnostic settings correctly and can see logs in the Log Analytics workspace. Let's refine the query to ensure it captures the specific changes you are looking for. below is an updated KQL query that should help you track changes to the firewall settings, including CIDR range changes, for your Azure Storage Account:
AzureDiagnostics | where ResourceProvider == "MICROSOFT.STORAGE" | where ResourceType == "STORAGEACCOUNTS" | where OperationName == "Microsoft.Storage/storageAccounts/write" | where ActivityStatus == "Succeeded" | extend Properties = todynamic(Properties) | extend FirewallRules = Properties.properties.networkAcls.ipRules | where isnotempty(FirewallRules) | project TimeGenerated, ResourceGroup, ResourceName, FirewallRulesPlease Verify:
- Ensure Diagnostic Settings:
- Double-check that the diagnostic settings are sending logs to the correct Log Analytics workspace and that all necessary log categories are selected.
- Check Log Ingestion:
- Verify that logs are being ingested correctly by querying other types of logs from the same storage account to ensure data flow.
- Query Specific Resource Group:
- If your storage account is in a specific resource group, you can add a filter to the query to narrow down the results:
AzureDiagnostics | where ResourceProvider == "MICROSOFT.STORAGE" | where ResourceType == "STORAGEACCOUNTS" | where ResourceGroup == "<Your_Resource_Group_Name>" | where OperationName == "Microsoft.Storage/storageAccounts/write" | where ActivityStatus == "Succeeded" | extend Properties = todynamic(Properties) | extend FirewallRules = Properties.properties.networkAcls.ipRules | where isnotempty(FirewallRules) | project TimeGenerated, ResourceGroup, ResourceName, FirewallRulesEnsure that there have been recent changes to the firewall settings. If no changes have been made recently, the query might not return any results.
Please check the Azure Monitor documentation for additional troubleshooting steps
https://learn.microsoft.com/en-us/azure/storage/files/files-monitoring-alerts
https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal
Hope this helps. Do let us know if you have any further queries.
- Ensure Diagnostic Settings:
-
Keshavulu Dasari 3,095 Reputation points Microsoft Vendor
2025-01-24T18:39:13.8766667+00:00 Hi Julio Fonseca Caballero,
Just checking in to see if the response helped. If you have any questions, let me know in the "comments" and I would be happy to help you. -
Keshavulu Dasari 3,095 Reputation points Microsoft Vendor
2025-01-27T14:52:12.56+00:00 Just checking in to see if the response helped. If you have any questions, let me know in the "comments" and I would be happy to help you.
Sign in to comment
Sign in to answer