How to audit azure fileshare delete modify etc. events

petersonal 96 Reputation points
2023-09-12T11:19:02.88+00:00

We have an azure files, file share, and we are using AD DS to auth. I would like to use file share auditing, like to know who deleted, moved etc. modified that directory/file. I am seeing yearly new posts asking abut this feature, but never saw a solution. Could anybody point me in the right direction, if this can be done?

Thanks

Some research notes: I found that in 2020 this was not achievable according to this post: https://learn.microsoft.com/en-us/answers/questions/97299/viewing-the-access-logs-to-a-fileshare-using-azure

In 2022 I am unsure of a working solution described here: https://learn.microsoft.com/en-us/answers/questions/692445/azure-fileshare-auditing. I do not have unfortunately any API using knowledge.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,298 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 46,441 Reputation points Microsoft Employee
    2023-09-20T13:22:52.22+00:00

    @petersonal Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused. 

    Regarding your question, we have logging for read/write/delete operations.

     When using AD DS authentication, they need to look at SmbPrimarySID in the logs to determine the user that performed the operation.

     Also, if they want to monitor for deletes that were performed over SMB, they need to look at the SMB minor command to determine if the file was deleted.

     Example from storage logs: { "time": "2020-07-21T16:39:42.8712810Z", "resourceId": "/subscriptions/SubID_Removed/resourceGroups/afs/providers/Microsoft.Storage/storageAccounts/saname/fileServices/default", "category": "StorageWrite", "operationName": "Close", "operationVersion": "3.0", "schemaVersion": "1.0", "statusCode": 0, "durationMs": 3, "callerIpAddress": "IP_Removed", "correlationId": "d62bfd52-901d-0077-007d-5fa62a000000", "identity": {"type":"Kerberos","requester":{"smbPrimarySID":"S-1-5-99-2128259027-3510468894-3109476588-2110"}}, "location": "West US", "properties": {"accountName":"saname","etag":"0x8d82d949eb5ace","serviceType":"file","lastModifiedTime":"2020/07/21 16:39:19.7636302","serverLatencyMs":3,"operationCount":0,"requestHeaderSize":64,"requestBodySize":24,"responseHeaderSize":64,"responseBodySize":112,"smbSessionId":97576756713163325,"smbTreeConnectID":5,

    "smbPersistentHandleID":7979073622,"smbVolatileHandleID":18446744069415632993,"smbCreditsConsumed":1,"smbMessageID":557,"smbCommandMajor":6,"smbCommandMinor":"FileCloseAndDelete","smbCommandDetail":"Detail=Client","smbFileId":13835093239654252544}, "uri": [\\saname.file.core.windows.net\westus\Azure Files\Azure Files Overview.pptx], "protocol": "SMB", "resourceType": "Microsoft.Storage/storageAccounts/fileServices"}

    Please let us know if you have any further queries. I’m happy to assist you further.     


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.