Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Top storage accounts by activity
Storage accounts with the highest number of GET and PUT operations.
CloudStorageAggregatedEvents
| summarize TotalGets = sum(TotalBlobGetOperations), TotalPuts = sum(TotalBlobPutOperations) by StorageAccountName
| order by TotalGets desc
| limit 50
Storage access from anonymous sources
Storage accounts accessed anonymously, grouped by IP address and location.
CloudStorageAggregatedEvents
| where AnonymousSuccessfulOperations > 0
| summarize TotalAnonymousOps = sum(AnonymousSuccessfulOperations) by StorageAccountName, ClientIPAddress, CountryName
| order by TotalAnonymousOps desc
| limit 100
Storage access from suspicious IPs
Storage access events from Tor exit nodes or known suspicious IP addresses.
CloudStorageAggregatedEvents
| where IsTorExitNode == true or IsKnownSuspiciousIp == true
| project TimeGenerated, StorageAccountName, ClientIPAddress, CountryName, CityName, IsTorExitNode, IsKnownSuspiciousIp, TotalBlobGetOperations, TotalBlobPutOperations
| limit 100