How to Send Azure Storage Logs to Microsoft Sentinel

Sending is caring

I know many Microsoft Sentinel customers have been waiting to monitor Read, Write, and Delete operations for Storage accounts.

To enable this for Microsoft Sentinel, you’ll need to create a Diag Setting for each Storage account type and send the logs to the same Log Analytics Workspace as Microsoft Sentinel. As shown, I have enabled for blob and file storage as I don’t often use queue and table types.

Create a Diag settings

New tables are created when the Diag Setting has been successfully enabled.

New tables!

This is not free, by the way, and incurs regular ingestion charges. This is a big reason why I’ve not enabled the collection of Transaction (metrics) data and only StorageRead, StorageWrite, and StorageDelete.

Also, you will need to create your own Analytics Rules. Those are not supplied. Stay tuned, though. I may generate a few samples and post them to my GitHub repo (https://github.com/rod-trent).

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]