Description:

Storage Logging captures and records all request-level operations made to the Azure Blob service, including read, write, and delete actions. When enabled, it logs critical details such as requester identity, timestamp, IP address, operation type, and status. These logs provide essential visibility for monitoring access patterns, troubleshooting service issues, conducting performance analysis, and supporting comprehensive security audits.


Rationale:

Enabling Storage Logging ensures that every interaction with blob data is traceable. This capability is vital for:

  • Detecting unauthorized or anomalous access attempts

  • Supporting forensic investigations by reconstructing events

  • Meeting regulatory and organizational compliance requirements that mandate audit logging

  • Enhancing operational insights into how storage resources are being used


Impact:

  • Provides full visibility into blob service activity across read, write, and delete operations

  • Strengthens security monitoring by enabling the detection of suspicious or unauthorized behavior

  • Supports compliance efforts through detailed audit trails

  • Generates additional storage consumption for log retention, which may increase costs

  • Requires administrators to maintain retention policies and manage log lifecycle.


Default Value:

Storage Logging for the Azure Blob service is disabled by default.


Pre-requisites:

  • Global Administrator or Security Administrator permissions 

  • Storage Account Must Support Blob Service Logging


Test Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for the Azure Storage Account and select the particular storage account.

  3. On the left side, under Monitoring, select Diagnostic settings.

  4. Confirm that logging is enabled for the Blob service with Read, Write, and Delete operations selected.

  1. If it is disabled, follow the Implementation steps.


Implementation Steps:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for Azure Storage Accounts and select the specific storage account.

  3. In the left-hand menu, under Monitoring, select Diagnostic settings, and click on blob services.


  1. Click Add diagnostic setting.


  1. In the diagnostic setting, provide a name, select all logs (Read, Write, and Delete), and choose the destination storage account to send the logs.

  1. The diagnostic setting will be created.


Backout plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for Azure Storage Accounts and select the specific storage account.

  3. Under Monitoring, select Diagnostic settings. Click Edit settings.



  1. Click on delete.


Reference: