Description:

Storage Logging for the Azure Table service captures all request-level operations, including read, write, and delete actions. When enabled, it records essential details such as requester identity, access type, timestamps, and operation outcomes. This logging provides valuable visibility into how table storage is accessed and used, supporting auditing, troubleshooting, performance analysis, and security monitoring.


Rationale:

Enabling Storage Logging ensures that all interactions with the Table service are traceable, which is critical for:

  • Detecting unauthorized or suspicious access attempts

  • Supporting forensic investigations by reconstructing historical activities

  • Meeting regulatory, governance, and audit requirements for tracking data operations

  • Enhancing operational insight into application behavior and storage usage patterns.


Impact:

  • Improves visibility into all Table service operations (read/write/delete)

  • Strengthens security monitoring and facilitates detailed audit trails

  • Aids in troubleshooting operational and performance issues

  • Helps maintain compliance with internal and external regulatory requirements

  • Generates additional log data, increasing storage usage and associated costs

  • Requires ongoing management of log retention and lifecycle policies.


Default Value:

Storage Logging for the Azure Table service is disabled by default.

Pre-requisites:

  • Global Administrator or Security Administrator permissions.

  • Storage Account Must Support Table Service Logging.


Test Plan:

  1. Sign in to the Azure Portal.

  2. Search for Azure Storage Accounts and select the specific storage account.

  3. In the left-hand menu, under Monitoring, select Diagnostic settings.

  4. Confirm that logging is enabled for the Table service, with Read, Write, and Delete operations selected.


  1. If it is OFF, follow the Implementation Plan.


Implementation Steps:

  1. Sign in to the Azure Portal.

  2. Search for Azure Storage Accounts and select the specific storage account.

  3. In the left-hand menu, under Monitoring, select Diagnostic settings. Click on Table Services.


  1. Add a new Diagnostic setting.


  1. In the diagnostic setting, provide a name, select all logs (Read, Write, and Delete), and choose the destination storage account to send the logs.

  1. It will create a Diagnostic



Backout plan:

  1. Sign in to the Azure Portal.

  2. Search for Azure Storage Accounts and select the specific storage account.

  3. Under Monitoring, select Diagnostic settings. Click Edit settings.

  4. Click on delete.


Reference: