Share via

Azure Logs are being stored in a Storage account. How do I access and review logs, currently stored, for an incident investigation?

Charlie G 81 Reputation points
2023-04-20T16:45:31.11+00:00

Currently, we have Azure Diagnostic logs exported to a storage account. these logs include:

  • AuditLogs
  • SignInLogs
  • NonInteractiveUserSignInLogs
  • ServicePrincipalSignInLogs
  • ManagedIdentitySignInLogs
  • ProvisioningLogs
  • ADFSSignInLogs
  • RiskyUsers
  • UserRiskEvents
  • NetworkAccessTrafficLogs
  • RiskyServicePrincipals
  • ServicePrincipalRiskEvents
  • EnrichedOffice365AuditLogs
  • MicrosoftGraphActivityLogs we currently have data stored over a year. My question is... how do I ( as an admin ) gain access to the log and be able to query them to use in support of an investigation? What is the Best way to accomplish this?
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,944 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KarishmaTiwari-MSFT 19,032 Reputation points Microsoft Employee
    2023-04-24T07:44:30.76+00:00

    @Charlie G Thanks for posting your query on Microsoft Q&A.

    Q: How to access, review and query logs stored in Azure Storage account?

    A: The best way to accomplish this would be using Azure Data Explorer.

    You can use Azure Data Explorer to ingest logs from storage account to query them. Here is a great article describing the steps: Ingest data from a container into Azure Data Explorer

    Azure Data Explorer uses the Kusto Query Language, which is an expressive, intuitive, and highly productive query language. It offers a smooth transition from simple one-liners to complex data processing scripts, and supports querying structured, semi-structured, and unstructured (text search) data. There's a wide variety of query language operators and functions (aggregation, filtering, time series functions, geospatial functions, joins, unions, and more) in the language. KQL supports cross-cluster and cross-database queries, and is feature rich from a parsing (json, XML, and more) perspective. The language also natively supports advanced analytics.

    You can use the web application to run, review, and share queries and results. You can also send queries programmatically (using an SDK) or to a REST API endpoint. If you're familiar with SQL, get started with the SQL to Kusto cheat sheet.

    Additional Reading:

    If you have any questions at all, let me know in the "comments". Comment is the fastest way of notifying the experts.

    If this answer helped or steered you in the right direction, don't forget to 'Accept answer' and hit 'Yes' to 'was this ans helpful', wherever the information provided helps you, as this can be beneficial to other community members for remediation of similar issues.

    1 person found this answer helpful.
    0 comments