Cybersecurity

Microsoft Azure Storage Logs for Forensic Analysis

Forensic investigators play a crucial role in tracing the activities of attackers following a security breach. It has been identified that Microsoft Azure Storage logs are an often overlooked yet vital source of evidence.

These logs provide essential insights for reconstructing attacks, tracing data theft, and identifying security vulnerabilities. Azure Storage Accounts, which store significant amounts of sensitive data, are frequent targets for threat actors aiming to exfiltrate information.

However, diagnostic logging is not always enabled by default, which can leave a significant gap in incident response capabilities. Without these logs, critical evidence of unauthorized access and data theft may be permanently lost.

Common Exploitation Methods

Threat actors exploit weaknesses such as misconfigured security settings, weak access controls, and leaked credentials. Two prevalent methods include:

• Misuse of Shared Access Signature (SAS) tokens, which grant specific permissions for a limited time.
• Exposure of Storage Account keys, providing privileged, long-term access to data.

Key Features of Azure Storage Logs

Enabling logging allows investigators to utilize the StorageBlobLogs table within Azure’s Log Analytics. These logs capture details of read, write, and delete operations, providing a digital breadcrumb trail of an attacker’s actions. Key fields include:

• OperationName: Identifies specific actions such as “GetBlob” (downloading a file), “PutBlob” (uploading a file), or “DeleteBlob.”
• CallerIpAddress: Reveals the requester’s IP address, helping pinpoint the origin of malicious activity.
• UserAgentHeader: Indicates tools used for data access, differentiating between web browsers, the Azure portal, or specialized tools like AzCopy or Azure Storage Explorer.
• AuthenticationType: Shows user authentication methods, such as standard credentials (OAuth), a SAS token, or an Account Key.

Analysis of these fields helps distinguish legitimate user activity from malicious actions. For instance, a sudden increase in “ListContainers” or “ListBlobs” operations from an unfamiliar IP address may signal an attacker mapping the storage environment.

From Detection to Prevention

Investigations often begin by correlating suspicious sign-ins from Microsoft Entra ID with storage log activity. For example, a compromised user account with administrative privileges might grant another malicious account access roles like “Storage Blob Data Contributor.”

The AzureActivity logs would indicate this role assignment, while the StorageBlobLogs would reveal the new account accessing and downloading sensitive files.

Correlating the authentication hash of a SAS token allows investigators to track actions performed with that token, even if the attacker changes IP addresses, defining the full scope of the compromise.

Enabling storage account logging is essential for organizations utilizing Azure. These logs are indispensable for post-breach forensics, guiding remediation efforts, and implementing stronger controls to prevent future data theft.