Azure Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
In this article, I will share with you how to monitor Azure storage account activity log with Azure Sentinel.
Contents of this Article
The cloud environment needs storage accounts, also known as cloud storage, to build scalable and resilient applications. These accounts should only be accessed by legitimate user(s) or application(s). Operations such as list storage account keys, regenerate account access keys, or configuration changes must be logged and monitored heavily.
The Activity Log is a platform log in Azure that provides insight into subscription-level events. This includes such information as to when any resource is modified or when a storage account access keys are accessed or regenerated.
You can view the Activity log for your storage account through the Azure Portal | Activity log blade as shown in the figure below, or you can retrieve the entries with PowerShell and Azure CLI.
What about if you want to monitor those operation logs more closely for security and compliance reasons? You should enable the diagnostic setting to send the Activity log to Azure Monitor Logs (Log Analytics Workspace), to Azure Event Hubs to forward outside of Azure, or to Azure Storage for archiving.
The next question is, I want to be notified and receive an immediate alert when the Azure Storage account keys are enumerated. In this article, I will share with you how to be proactive and be alerted when your storage account access keys are regenerated with Azure Sentinel. You can use the same logic and adapt it based on your security requirements.
To follow this article, you need to have the following:
- Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
- Log Analytics workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.
- Azure Sentinel – To enable Azure Sentinel at no additional cost on an Azure Monitor Log Analytics workspace for the first 31-days, follow the instructions here.
- Azure storage v2 account – To create a general-purpose v2 storage account, you can follow the instructions described here.
- Configure Activity Log data connector in Azure Sentinel to collect activity logs (more on this in the next section).
Collect Azure Activity Logs
You have two options to configure and collect the Activity log (Azure platform logs) and send them to the Azure Sentinel log analytics workspace:
- You can go to your Azure Sentinel workspace, under Configurations | Data connectors | Azure Activity. Click on Open the connector page, and then select Configure Azure Activity logs >. Then you can select your desired subscription where your storage accounts are deployed and then click Connect button as shown in the figure below.
- Or, the second and the recommended option by Microsoft is to use the Diagnostic Settings for every subscription to collect and send the logs to Sentinel Workspace, this will ensure lower latency and broader collection instead of collecting the activity logs through the Data connector page. You can do that by searching for Monitor in the Azure Portal, select the Activity Log blade, and then click on Diagnostic Settings. Choose your desired subscription and then click + Add diagnostic setting. Give the diagnostic setting a descriptive name, then choose the category details that you want to collect from a subscription, and finally choose the destination details to send to Azure Sentinel log analytics workspace as shown in the figure below. In this example, I am interested to collect all the platform logs and metrics.
Azure Sentinel Side
Now that we know we have all the capabilities for collecting storage account activity logs, we can monitor, track and detect suspicious activities and many other Azure Sentinel actions.
Create a hunting query
If you’re an investigator who wants to be proactive about looking for security threats, Azure Sentinel powerful hunting search and query tools to hunt for security threats across your organization’s data sources.
In this step, we will create a hunting query to monitor in real-time when the storage account access keys are getting regenerated.
Now you may ask, why do we need to create a Hunting query instead of an Analytic query rule? In fact, you can do both, with an analytic rule, the minimum query schedule is 5 minutes or above, however, with a hunting query, it’s nearly real-time (live stream). You can think of it as reactive versus proactive.
For the remainder of this article, I will use both approaches with Hunting to create a live stream session and create an analytic rule. The good news is, when the custom query is created, you can create an analytic rule from the Hunting queries blade directly.
Open Azure Portal and sign in with a user who has Azure Sentinel Contributor permissions.
Click All services found in the upper left-hand corner. In the list of resources, type Azure Sentinel. As you begin typing, the list filters based on your input.
Click on Azure Sentinel and then select the desired Workspace.
From Azure Sentinel’s sidebar, select Hunting under the Threat management section, then click + New Query as shown in the figure below.
Enter a descriptive Name and Description. And In the Custom query section enter the following KQL query to be alerted when your storage account access keys are regenerated:
AzureActivity | where Properties has "Microsoft.Storage/storageAccounts/regenerateKey/action" | extend WhoDidIt = Caller, StorageAccountName = tostring(parse_json(Properties).resource) | project WhoDidIt, StorageAccountName, ResourceGroup, _ResourceId, CallerIpAddress, EventSubmissionTimestamp
This query will search in the Azure Activity table for storage accounts with regenerate access key action, and then with the extend operator, I am creating a custom column called WhoDidIt and StorageAccountName, and then append them to the correct result values. And finally, with the project operator, I am selecting the desired columns to have more details about this operation.
If you want to monitor who accessed or listed your storage account access keys, you can use the following KQL query or you can combine both queries together. This query will search in the Azure Activity table for storage accounts with list-keys action.
AzureActivity | where Properties has "Microsoft.Storage/storageAccounts/listKeys/action" | extend WhoDidIt = Caller, StorageAccountName = tostring(parse_json(Properties).resource) | project WhoDidIt, StorageAccountName, ResourceGroup, _ResourceId, CallerIpAddress, EventSubmissionTimestamp
Give the right Tactics for the query such as (PreAttack, Credential Access) and then click on Create. Once the custom query is created, navigate to Sentinel > Threat management > Hunting > Queries tab and filter by the provider (Custom Queries).
Now to monitor your storage accounts in real-time and receive notifications when a new event occurs, locate the hunting query that we created in the previous step, right-click the query, and select Add to Livestream as shown in the figure below.
Now to view your Livestream session in action, navigate to Sentinel > Threat management > Hunting > Livestream tab. Select the Livestream query that we added in the previous step, right-click and select Play as shown in the figure below.
I will go now and regenerate the Access Keys of my storage account and wait for the notification to pop-up. Because Livestream notifications for new events use Azure Portal notifications, you will see these notifications whenever you use the Azure portal. In my example, it took around 3 minutes for the notification to pop-up after I regenerated the access keys. Select the notification to open the Livestream pane as shown in the figure below.
Navigate to Sentinel > Threat management > Hunting > Livestream tab. Select the Livestream query that is running and then click on the Open Livestream button as shown in the figure below.
Make sure that your Livestream session is running, you would see a similar output to below when someone regenerates the storage account Access keys (IP Address, Resource Group Name, Timestamp, Storage account name, and Who did it).
Create an analytic rule
Now you can promote a Livestream session to a new alert by creating an analytic rule.
From within the same Livestream session, click on the Create analytics rule as shown in the figure below.
Give the analytic rule a meaningful ‘Name‘ and ‘Description‘, then select the following 2 ‘Tactics‘ (PreAttack, Credential Access). Those tactics are based on the MITRE ATT&CK Matrix for Enterprise. Then select ‘Medium‘ for the Severity and then click Next to Set rule logic.
In the Set rule logic tab, you will see the same rule query that we used in the previous step. You can update it or leave it as it is.
I need to enrich my alert, so I will map the following entities to the rule under the Alert enrichment section:
- Account | Name = WhoDidIt
- IP | Address = CallerIpAddress
- Azure Resource | ResourceId = _ResourceId
In the Query scheduling section, I will schedule this query to run every 5 minutes and lookup data from the last 5 minutes. I will not change any other setting in the Set rule logic tab. Click Next to configure the Incident settings.
I will keep the default options for the Incident settings as well. However, I will enable group-related alerts, triggered by this analytics rule, into incidents. And keep the default settings: Grouping alerts into a single incident if all the entities match (recommended). Click Next to configure the Automated response.
In the Automated response tab, I will select the automated playbook that I created earlier to post a message in the Microsoft Teams Channel to inform the SOC team members about this operation. Click Next to review and create.
In the Review and create the page, validate the settings and click Create to start the rule creation process.
Simulate an alert
To trigger an alert, I will go now and regenerate the Access Keys of my storage account one more time.
Let’s see if I have received any messages on the Microsoft Team channel. After waiting for 5 minutes, a message popped up in my team channel as shown in the below screenshot, which means the analytic rule ran the playbook automatically, and the SOC team received this alert including all entity details and which Azure resource is affected.
If you switch back to the Azure Sentinel and check if you have any incident created after this suspicious activity. You will see a new open incident that is created when regenerating the storage account access keys. You can see the Incident id number that was created by the analytic rule as illustrated in the previous step, which has the playbook attached to it.
You can also view more details of the incident by clicking on the View full details button and see all the Entities as shown in the figure below.
That’s it there you have it. Happy Azure Sentinel Hunting!
In this article, I showed you how to create a hunting query with a Livestream session in Azure Sentinel that will trigger an alert when your storage account keys are enumerated. Then I have created an analytic rule that will automatically trigger a security playbook to inform the organization’s Security Operation Center (SOC) team of this suspicious activity.
Please note that this is only one automation scenario I showed you on how to respond to security threats by posting a message on Microsoft Teams, you could also automatically block the IP address or you could disable Allow shared key access, so any requests to the storage account that are authorized with Shared Key, including shared access signatures (SAS), will be denied, etc. There are plenty of playbooks available in the Azure Sentinels GitHub page contributed by the community and Microsoft security experts that you can leverage.
Additional resources I highly encourage you to check:
- Learn more about Azure Sentinel, check the official documentation from Microsoft.
- Learn about Analytics Rules, check the official documentation from Microsoft.
- Learn about Playbooks, check the Azure Sentinel’s GitHub page contributed by the community and Microsoft.
The power of Azure Sentinel comes from the ability to detect, investigate, and remediate threats. To do this, you must first ingest data from different sources, such as Azure platform logs, Azure Security Center, or other Microsoft security solutions, as well as other third-party solutions.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.