Azure Storage Account connector for Microsoft Sentinel

Azure Storage account is a cloud solution for modern data storage scenarios. It contains all your data objects: blobs, files, queues, tables, and disks. This connector lets you stream Azure Storage accounts diagnostics logs into your Microsoft Sentinel workspace, allowing you to continuously monitor activity in all your instances, and detect malicious activity in your organization. For more information, see the Microsoft Sentinel documentation.

Connector attributes

Connector attribute Description
Log Analytics table(s) AzureMetrics (Azure Storage)
Data collection rules support Not currently supported
Supported by Microsoft Corporation

Query samples

All logs


| where TimeGenerated > ago(3d) 

| project TimeGenerated, OperationName, StatusCode, StatusText, _ResourceId

| sort by TimeGenerated


To integrate with Azure Storage Account make sure you have:

  • Policy: owner role assigned for each policy assignment scope

Vendor installation instructions

Connect your Azure Storage Account diagnostics logs into Sentinel.

This connector uses a set of Azure Policies to apply a log-streaming configuration to a collection of instances, defined as a scope. Follow the instructions below to create and apply policies to all current and future instances. To get most out of the Storage Account Diagnostic logging from the Azure Storage Account, we recommend that you enable Diagnostic logging from all services within the Azure Storage Account - Blob, Queue, Table and File. Note, you may already have an active policy for this resource type.

Next steps

For more information, go to the related solution in the Azure Marketplace.