top of page

WELCOME TO CLOUD MATTER

Search
  • Writer's pictureRoman Guoussev-Donskoi

Monitor access to sensitive data: easy with Azure Storage

These days much of sensitive data is stored in the cloud including Azure storage accounts. Monitoring access to sensitive data is a critical requirement. Fortunately Microsoft provides preview capability to track each request made against Azure Storage or Azure Data Lake (ADLS2). These logs indicate the operation performed, requester identity and IP address, whether a request was made anonymously, by using an OAuth 2.0 token, by using Shared Key, or by using a shared access signature (SAS) as well as many other useful attributes and metrics.


Setup

In Azure Storage account go to Monitoring->"Diagnostic settings (preview)" and click on service you need to monitor: in our case blob (which also includes ADLS2 monitoring)


Then click to "Add diagnostics setting"


Specify destination (in our case this is Sentinel Log Analytics workspace to leverage storage access audit data for creation of Sentinel rules). Also specify access types to be monitored using Categories or Groups.


Setup complete.



Accessing logs in a Log Analytics workspace

In Log Analytics workspace storage access audit data is stored in the StorageBlobLog table. Logs for Data Lake Storage Gen2 do appear in the same table. That's because Data Lake Storage Gen2 is not service. It's a set of capabilities that you can enable in your storage account. If you've enabled those capabilities, logs will continue to appear in the StorageBlobLog table.


Best practice

To provide better audit and traceability (identify principal accessing the storage in the audit record) we should restrict and if possible completely block SAS and Shared Key Authorization and instead leverage OAuth as much as possible.

This is documented by Microsoft in Prevent Shared Key authorization for an Azure Storage account.


Column "AuthenticationType" in StorageBlobLog shows type of authentication used to access storage. When AuthenticationType is "OAuth" we can monitor identity of the caller accessing storage. (if you have to use SAS we can apply mitigations which will describe in another blog.)

In "OperationName" column we can see the operation performed : for example "PutBlob" shows object has been uploaded to a storage.


Lets look at data attributes in more detail:


StorageBlobLogs | where AuthenticationType == 'OAuth' and RequesterUpn contains '@' and not(OperationName has_any('GetBlobServiceProperties', 'GetUserDelegationKey', 'CreatePathDir', 'ListBlobs')) |

project TimeGenerated, Protocol, OperationName, AuthenticationType, Uri, RequesterUpn, CallerIpAddress, Category, TlsVersion




  1. Operation is PutBlob

  2. The specific Blob accessed

  3. Identity of requestor that performed the operation

  4. IP address of the requester

  5. TLS version (now TLS1.2 and above should only be acceptable)

This is all for now. Hope you find useful.



687 views0 comments

Recent Posts

See All

LLMs (such as OpenAI) are good for reasoning but they lack capability interface with outside world. This is where Langchain agents step in: agents provide LLMs with tools to perform actions (for examp

Summary Langchain framework makes building of LLM applications much easier, extends capabilities of LLM applications, and introduces structured approach, which facilitates supporting and managing app

Home: Blog2

Subscribe

Home: GetSubscribers_Widget

CONTACT

Your details were sent successfully!

Computers
Home: Contact
bottom of page