what are the exact log analytics tables to query for azure storage firewall logs. Cannot find it in the documentation

Julio-14 25

Hi,

I'm trying to have an alert that triggers when there is a change in the Azure Storage Account Firewall, particularly when there is a CIDR range change, I'd like to know which table what Kusto query I should use, I have tried AzureDiagnostics with no luck, also I have enabled Diagnostics for the Azure Storage Account but no luck neither

Keshavulu Dasari 3,170 Reputation points Microsoft Vendor

2025-01-20T22:25:08.0133333+00:00
Hi Julio Fonseca Caballero,

Greetings & Welcome to Microsoft Q&A forum! Thanks for posting your query!

To set up an alert for changes in the Azure Storage Account Firewall, particularly for CIDR range changes, you can use Azure Monitor and KQL.

Ensure that diagnostic logging is enabled for your Azure Storage Account. This will capture the necessary logs for monitoring changes, If you haven't already, create a Log Analytics workspace where the diagnostic logs will be sent.

In the Azure portal, go to your Storage Account, select Diagnostic settings, and add a diagnostic setting to send logs to your Log Analytics workspace, Use the following Kusto query to detect changes in the firewall settings, including CIDR range changes:

AzureDiagnostics | where ResourceType == "STORAGEACCOUNTS" | where OperationName == "Microsoft.Storage/storageAccounts/write" | where Properties contains "firewall" | extend FirewallSettings = parse_json(Properties).properties.networkAcls | project TimeGenerated, ResourceGroup, ResourceName, FirewallSettings

This query filters the logs for storage account updates and extracts the firewall settings.

Reference:
https://learn.microsoft.com/en-us/answers/questions/1275382/azure-firewall-logs-kusto-query

Create an Alert Rule:

Go to Azure Monitor in the Azure portal.

Select Alerts > New alert rule.

Define the scope by selecting your Log Analytics workspace.

Set the condition using the above Kusto query.

Configure the alert details, such as the alert rule name, severity, and action group.

This setup will trigger an alert whenever there is a change in the firewall settings of your Azure Storage Account, including CIDR range changes

Additional Reading: -
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/kql-quick-reference

https://www.geeksforgeeks.org/microsoft-azure-firewall-network-flow-logs-with-timegenerated-using-kql/

Hope this helps. Do let us know if you have any further queries.
Julio-14 25 Reputation points

2025-01-20T23:16:28.62+00:00

Hi there,

When you're referring to set up in the storage account the diagnostic setting to send the logs to the Log Analytics workspace, I went into Storage Account -> Monitoring -> Diagnostic Setting and as you can see in the screen, does that Diagnostic setting looks correct? because I had already done that and then when trying the query, I'm seeing an error in the syntax, but bottom line I don't have any info retrieved when the ResourceType of STORAGEACCOUNTS, what else do I'm missing? thanks!
Julio-14 25 Reputation points

2025-01-20T23:23:56.8666667+00:00

Hi there,
When you're referring to set up in the storage account the diagnostic setting to send the logs to the Log Analytics workspace, I went into Storage Account -> Monitoring -> Diagnostic Setting and as you can see in the screen, does that Diagnostic setting looks correct? because I had already done that and then when trying the query, I'm seeing an error in the syntax, but bottom line I don't have any info retrieved when the ResourceType of STORAGEACCOUNTS, what else do I'm missing?
Keshavulu Dasari 3,170 Reputation points Microsoft Vendor

2025-01-21T02:33:17.7866667+00:00
Hi Julio-14 ,

Ensure that you have selected the correct log categories in the diagnostic settings. For Azure Storage Accounts, you should enable logs for Read, Write, and Delete operations, verify that the logs are being sent to the correct Log Analytics workspace.

The logs are being ingested into the Log Analytics workspace. Sometimes, there might be a delay in log ingestion. Ensure that the storage account allows trusted Microsoft services to access it. This setting is crucial for diagnostic logs to be captured correctly.

Ensure that logs are being generated and sent to the Log Analytics workspace. Sometimes, there might be a delay in log data appearing in the workspace. You can verify this by checking the Logs section in the Azure Monitor.

Make sure that the necessary permissions and network rules are in place to allow Azure Monitor to access your storage account logs. If you are using private endpoints, ensure they are correctly configured.

If the issue persists, you might want to refer to the following resources for more detailed guidance:

Diagnostic settings in Azure Monitor

Create diagnostic settings in Azure Monitor

If you continue to face issues, please let me know I would be happy to help you.
Julio-14 25 Reputation points

2025-01-22T00:07:20.46+00:00

Hi,

Under Log Analytics workspace I can see the corresponding Storage tables, and there are log records in those tables, also I have made sure the setting to allowing Azure services as a trusted service to access the storage account, still when trying suggested the Azure Diagnostics CIDR KQL query, no results retrieved. In the Azure Diagnostics I can see data coming from 2 different resource groups and the storage account is in one of those resource groups, but no luck for the storage account resource.

If someone has faced this issue, it would be awesome to have a particular pointer to what to change and even a screen shot would be better

Thanks!
Keshavulu Dasari 3,170 Reputation points Microsoft Vendor

2025-01-22T19:40:45.8366667+00:00
Hi Julio-14 ,

You are set up the diagnostic settings correctly and can see logs in the Log Analytics workspace. Let's refine the query to ensure it captures the specific changes you are looking for. below is an updated KQL query that should help you track changes to the firewall settings, including CIDR range changes, for your Azure Storage Account:

AzureDiagnostics | where ResourceProvider == "MICROSOFT.STORAGE" | where ResourceType == "STORAGEACCOUNTS" | where OperationName == "Microsoft.Storage/storageAccounts/write" | where ActivityStatus == "Succeeded" | extend Properties = todynamic(Properties) | extend FirewallRules = Properties.properties.networkAcls.ipRules | where isnotempty(FirewallRules) | project TimeGenerated, ResourceGroup, ResourceName, FirewallRules

Please Verify:

Ensure Diagnostic Settings:

Double-check that the diagnostic settings are sending logs to the correct Log Analytics workspace and that all necessary log categories are selected.

Check Log Ingestion:

Verify that logs are being ingested correctly by querying other types of logs from the same storage account to ensure data flow.

Query Specific Resource Group:

If your storage account is in a specific resource group, you can add a filter to the query to narrow down the results:

AzureDiagnostics | where ResourceProvider == "MICROSOFT.STORAGE" | where ResourceType == "STORAGEACCOUNTS" | where ResourceGroup == "<Your_Resource_Group_Name>" | where OperationName == "Microsoft.Storage/storageAccounts/write" | where ActivityStatus == "Succeeded" | extend Properties = todynamic(Properties) | extend FirewallRules = Properties.properties.networkAcls.ipRules | where isnotempty(FirewallRules) | project TimeGenerated, ResourceGroup, ResourceName, FirewallRules

Ensure that there have been recent changes to the firewall settings. If no changes have been made recently, the query might not return any results.

Please check the Azure Monitor documentation for additional troubleshooting steps

https://learn.microsoft.com/en-us/azure/storage/files/files-monitoring-alerts

https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal

Hope this helps. Do let us know if you have any further queries.
Keshavulu Dasari 3,170 Reputation points Microsoft Vendor

2025-01-24T18:39:13.8766667+00:00

Hi Julio Fonseca Caballero,
Just checking in to see if the response helped. If you have any questions, let me know in the "comments" and I would be happy to help you.
Keshavulu Dasari 3,170 Reputation points Microsoft Vendor

2025-01-27T14:52:12.56+00:00

Hi Julio Fonseca Caballero,

Just checking in to see if the response helped. If you have any questions, let me know in the "comments" and I would be happy to help you.

1 answer

Julio-14 25

Hi @Keshavulu Dasari ,

I ended up querying the Azure Analytics, was not able to find out what did I was missing to retrieve the data from azure diagnostics, instead I went to Activity Log, then do the Export of the Activity Log into Log Analytics Workspace and from there used below query,

What I don't like is that the emails not always come and that is crucial for the alerting

Thanks,
J

AzureActivity
| where OperationNameValue == "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE"
| order by TimeGenerated desc
| summarize arg_max(TimeGenerated, *) by CorrelationId
| top 2 by TimeGenerated
| order by TimeGenerated desc
| project
    CorrelationId,
    EventDataId,
    ResourceGroup,
    OperationNameValue,
    _ResourceId,
    TimeGenerated,    
    networkAcls = extract_json("$.properties.networkAcls", extract_json("$.responseBody", Properties, typeof(string)), typeof(string)),
    ipRules = extract_json("$.properties.networkAcls.ipRules", extract_json("$.responseBody", Properties, typeof(string)), typeof(string)),
    publicNetWorkAccess = extract_json("$.properties.publicNetworkAccess", extract_json("$.responseBody", Properties, typeof(string)), typeof(string))
//NetworkAcls
| extend nextValueNetworkAcls=next(networkAcls)
| extend doesNetworkAclsChanged = iff(networkAcls != nextValueNetworkAcls, "Yes", "No")
//Public Network Access
| extend nextPublicNetWorkAccess=next(publicNetWorkAccess)
| extend doesPublicNetWorkAccessChanged = iff(publicNetWorkAccess != nextPublicNetWorkAccess, "Yes", "No")
| top 1 by TimeGenerated
| project
    TimeGenerated,
    CorrelationId,
    EventDataId,
    ResourceGroup,
    OperationNameValue,
    _ResourceId,
    doesNetworkAclsChanged,
    //doesIPRulesChanged,
    doesPublicNetWorkAccessChanged
| where doesNetworkAclsChanged == "Yes" or doesPublicNetWorkAccessChanged == "Yes"

Keshavulu Dasari 3,170 Reputation points Microsoft Vendor

2025-01-27T20:57:22.59+00:00

Hi Julio-14

You are made good progress by querying the Azure Activity Log and exporting it to the Log Analytics Workspace. Query looks well-structured for detecting changes in the firewall settings.

Share via

what are the exact log analytics tables to query for azure storage firewall logs. Cannot find it in the documentation

1 answer

Your answer