☁️
CTHFM: Azure
  • Welcome
  • Getting Started
    • Account Setup
      • Account Creation Instructions
  • Azure Fundamentals
    • Azure Fundamentals Overview
      • Azure Documentation
      • Azure Entra
      • Azure Hierarchy
      • Identities
      • Azure Entra Roles
      • Azure RBAC
      • Azure Licensing Overview
        • Azure Entra ID Premium Licenses Comparison
      • Azure Shared Responsibility Model
      • Azure Frameworks
      • Azure Security Services
      • Conditional Access Policies
        • How Conditional Access Policies Work
        • Benefits of Conditional Access
        • Best Practices for Conditional Access
        • Conditions for Conditional Access
        • Conditional Access Controls
        • Sign-In Risk and Identity Protection
        • Conditional Access Session Control
        • Name Locations IP Location
      • Azure Quotas
      • Azure Tokens
        • Access Tokens
        • ID Tokens
        • Refresh Tokens
          • Invalidate Refresh Tokens
        • Primary Refresh Tokens
        • Continuous Access Evaluation (CAE)
        • Token Protection: Conditional Access (Public Preview)
  • Azure CLI
    • Introduction to Azure CLI
    • Installing Azure CLI
    • CLI Commands
    • Resource Group Management
    • Creating and Managing Resources with Azure CLI
    • Managing IAM
    • Azure CLI Automation
    • Monitoring and Troubleshooting in Azure CLI
    • Azure CLI Overview
      • Azure CLI: Linux
      • Azure CLI: Windows
      • Azure CLI: MacOS
  • KQL
    • KQL Overview
      • KQL Introduction
      • Data Types
      • Quick Reference
      • Render
      • Basic Queries
  • Powershell
    • PowerShell for Azure
      • Powershell Documentation
      • Powershell Basics
      • Understanding Powershell Variables
      • Understanding Cmdlets
      • Powershell Console & ISE
      • Powershell: Entra Module
        • Module Reference & Getting Started
      • Powershell: Azure Module
        • Installation Instructions
        • Powershell Azure CLI: Windows
        • Powershell Azure CLI: Linux
        • Powershell Azure CLI: MacOS
        • Example Azure Cmdlets
  • Bicep
    • Bicep File Structure
    • Variable Types
  • Azure Logging References
    • Logging
      • Log Retention Strategies
      • Azure Log Types
      • Azure Activity Logs
        • Administrative Event Schema
        • Service Health Notification Schema
        • Resource Health
        • Alert Category
        • Autoscale
        • Security
        • Recommendation
        • Policy
      • Entra ID Logging
        • Identity Based Logs
          • Audit Logs
          • Sign-In Logs
            • AADNonInteractiveUserSignInLogs
            • AADManagedIdentitySignInLogs
            • AADServicePrincipalSignInLogs
            • First Party Sign-In Activity
          • Provisioning Logs (AADProvisioningLogs)
          • Microsoft Graph Activity
          • Identity Protection
            • Risk Detections
            • AADRiskyServicePrincipals
            • AADRiskyUsers
            • AADUserRiskEvents
            • AADServicePrincipalRiskEvents
        • Additional Entra ID Logs
      • Azure Key Vault
        • Azure Key Vault Logging Overview
      • Network Watcher
        • RBAC Permissions
        • Flow Log Types
          • NSG Flow Log Schema
          • VNET Flow Log Schema
        • Enabling Logs
          • NSG Flow Logs
          • VNET Flow Logs
        • Packet Capture
          • Packet Capture: VM
          • Packet Capture: Scale Sets
      • Compute Resources
        • Azure Monitor Agent
        • VM Insights
          • VM Insights Tables
      • Storage Accounts
        • Storage Account Logging
          • File
            • Enable StorageFileLogs
            • StorageFileLogs
          • Blob
            • Enable Blob Logging
            • StorageBlobLogs
          • Queue
            • Enable Queue Logging
            • StorageQueueLogs Table
          • Table
            • Enable Table Logging
            • StorageTableLogs Table
      • Azure App Service
        • Log Types
        • Enabling Logging
      • Azure Monitor
        • Resource Logs
          • Resource Log Top Level Documentation
        • Log Analytics Workspace
          • Setup
        • Workbooks
        • Dashboards
        • Alerts
        • Azure Monitor Documentation
      • Defender for Cloud
      • Intune
      • Sysmon
      • Purview Audit Log Schema
      • Kubernetes Audit Log (AKS)
  • Threat Hunting
    • Threat Hunting in Azure
      • Threat Hunting Introduction
      • Threat Hunting Process
        • Hypothesis Generation
        • Investigation
        • Identification
        • Resolution & Follow Up
      • Pyramid of Pain
      • Azure Threat Hunting Ideas
      • Hands On Threat Hunting Examples
      • OSINT Feeds
  • Sigma
    • Sigma Rule Structure
  • Microsoft Defender TI
    • Microsoft Defender Threat Intelligence
      • Data Sets
      • Reputational Scoring
      • Analyst Insights
      • Microsoft Defender TI: Copilot Integration
  • MITRE Att&ck
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Data Sources
      • MITRE Att&ck Mitigations
      • MITRE Att&ck: Azure
        • MITRE Att&CK: Azure Security Control Mapping
  • Microsoft Resources
    • Microsoft Incident Response Ninja Hub
    • Microsoft Defender XDR Ninja Hub
  • Azure Threat Research Matrix (ATRM)
  • Security Research & Resources
    • Azure Goat
    • Azure Security Research
      • Azure Related CVEs
  • Defender XDR
    • Defender XDR Overview
    • Defender XDR Licensing
    • Defender XDR Default Retention
    • Defender XDR Advanced Hunting Table Schemas
    • Automated Response Requirements
    • Supported Response Actions
  • Azure Sentinel
    • Sentinel Overview
    • Azure Sentinel Deployments
    • Supported Data
    • Workbook, Playbook, Notebook Comparison
    • Sentinel Workbooks
    • Entities
    • User and Entity Behavior Analytics
    • Anomaly Detection
    • Mult-Stage Attack Detection
    • Sentinel: Az CLI
  • Microsoft Defender
    • Microsoft Defender for Cloud References
    • Defender for Cloud: Az CLI
  • Azure Policy
    • Azure Policy
    • Azure Policy Components
    • Azure Policy Rules
    • Scope Azure Policy
    • Policy Assignments
    • Policy Effect
    • Initiative Definition
    • Policy Parameters
    • Remediation Task Structure
    • Use Cases for Azure Policy
    • Azure Policy: Az CLI
  • Intune
    • Intune Overview
    • Intune Licensing
    • Intune API Permission Scopes
    • Intune Sample Script Resources
  • Intune Logging
    • Configure Logging
    • Logging Schema References
    • Intune Queries and Resources
  • Windows Host Security
    • Windows System Architecture and OS Fundamentals
    • SysInternals
    • Basic vs Advanced Security Auditing
    • Sysmon
  • Adversary Emulation
    • AzureHound
    • AADInternals
      • Install
    • RoadTools
      • Install
    • Oh365UserFinder
    • GraphRunner
  • Incident Response
    • Incident Response
      • Azure IR Program Development Cheat Sheet
      • Azure IR Playbooks (MS Guidance)
      • Ransomware (MS Guidance)
  • Automation
    • Automation Overview
    • Logic Apps
      • How Logic Apps Work
      • Logic App Types
      • Triggers
      • Connectors
      • Conditional Logic and Control Flow
      • APIs in Logic Apps
      • Handling Large Workflows with Stateful Logic Apps
      • External Service Integration
      • Securing, Managing, and Scaling Azure Logic Apps
      • Logic Apps: Az CLI
  • Packet Analysis
    • Wireshark Cheatsheet
    • TShark Cheatsheet
    • TCPDUMP Cheatsheet
    • Protocol Analysis Basics
    • HTTP Response Code Cheatsheet
    • RFC Protocol Mappings
    • PCAP Acquisition
  • Detection Lab
    • Detection Lab Introduction
    • Account Creation Instructions
    • Enable MFA Within Azure Tenant
    • Create an Azure Admin With Cloud Shell
    • Setup and Install Instructions
  • VSCode and Code Setup
  • Deploying Code
  • Enabling Logs for Log Analytics Workspace
  • Logging Into Windows VM
  • Verifying Logs in Log Analytics Workspace
  • Creating Detections: Azure Monitor
  • Cost Management: Billing Alarms
Powered by GitBook
On this page
  • File Logs:
  • StorageFileLogs (Data Plane)
  • File Storage Logs (Control Plane)
  • Github References
  • Additional References:
  • Monitoring Azure Files
  • StorageFileLogs Table
  • Logged Operations That Include Status Messages
  1. Azure Logging References
  2. Logging
  3. Storage Accounts
  4. Storage Account Logging
  5. File

StorageFileLogs

File Logs:

Logs come within two categories. These include data plane logs and control plane logs. The data plane logs are stored within a table called "StorageFileLogs" and the control plane logs are storage in the AzureActivity logs.

StorageFileLogs (Data Plane)

Column
Type
Description

AccountName

string

The name of the storage account.

AuthenticationHash

string

The hash of authentication token.

AuthenticationType

string

The type of authentication that was used to make the request.

AuthorizationDetails

dynamic

Detailed policy information used to authorize the request.

_BilledSize

real

The record size in bytes

CallerIpAddress

string

The IP address of the requester, including the port number.

Category

string

The category of requested operation.

ClientRequestId

string

The x-ms-client-request-id header value of the request.

ConditionsUsed

string

A semicolon-separated list of key-value pairs that represent a condition.

ContentLengthHeader

long

The value of the Content-Length header for the request sent to the storage service.

CorrelationId

string

The ID that is used to correlate logs across resources.

DurationMs

real

The total time, expressed in milliseconds, to perform the requested operation. This includes the time to read the incoming request, and to send the response to the requester.

Etag

string

The ETag identifier for the returned object, in quotes.

_IsBillable

string

Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account

LastModifiedTime

datetime

The Last Modified Time (LMT) for the returned object. This field is empty for operations that can return multiple objects.

Location

string

The location of storage account.

MetricResponseType

string

Records the metric response for correlation between metrics and logs.

ObjectKey

string

The key of the requested object, in quotes.

OperationCount

int

The number of each logged operation that is involved in the request. This count starts with an index of 0. Some requests require more than one operation, such as a request to copy a blob. Most requests perform only one operation.

OperationName

string

The type of REST operation that was performed.

OperationVersion

string

The storage service version that was specified when the request was made. This is equivalent to the value of the x-ms-version header.

Protocol

string

The protocol that is used in the operation.

ReferrerHeader

string

The Referer header value.

RequestBodySize

long

The size of the request packets, expressed in bytes, that are read by the storage service. If a request is unsuccessful, this value might be empty.

RequesterAppId

string

The Open Authorization (OAuth) application ID that is used as the requester.

RequesterAudience

string

The OAuth audience of the request.

RequesterObjectId

string

The OAuth object ID of the requester.

RequesterTenantId

string

The OAuth tenant ID of identity.

RequesterTokenIssuer

string

The OAuth token issuer.

RequesterUpn

string

The User Principal Names of requester.

RequesterUserName

string

The user name of requester for SMB.

RequestHeaderSize

long

The size of the request header expressed in bytes. If a request is unsuccessful, this value might be empty.

RequestMd5

string

The value of either the Content-MD5 header or the x-ms-content-md5 header in the request. The MD5 hash value specified in this field represents the content in the request.

_ResourceId

string

A unique identifier for the resource that the record is associated with

ResponseBodySize

long

The size of the response packets written by the storage service, in bytes. If a request is unsuccessful, this value may be empty.

ResponseHeaderSize

long

The size of the response header expressed in bytes. If a request is unsuccessful, this value might be empty.

ResponseMd5

string

The value of the MD5 hash calculated by the storage service.

SasExpiryStatus

string

Records any violations in the request SAS token as per the SAS policy set in the storage account. Ex: longer SAS token duration specified than allowed per SAS policy

SchemaVersion

string

The schema version of the log.

ServerLatencyMs

real

The total time expressed in milliseconds to perform the requested operation. This value doesn't include network latency (the time to read the incoming request and send the response to the requester).

ServiceType

string

The service associated with this request.

SmbCommandDetail

string

More information about this specific request rather than the general type of request.

SmbCommandMajor

int

Value in SMB2_HEADER.Command, and is currently a number between 0 and 18 inclusive.

SmbCommandMinor

string

The subclass of SmbCommandMajor, where appropriate.

SmbCreditsConsumed

int

The ingress or egress consumed by the request, in units of 64k.

SmbFileId

string

The FileId associated with file or directory. Roughly analogous to an NTFS FileId.

SmbMessageID

string

The connection relative MessageId.

SmbPersistentHandleID

string

Persistent HandleID from an SMB2 Create request that survives network reconnects. Referenced in [MS-SMB2] 2.2.14.1 as SMB2_FILEID.Persistent.

SmbPrimarySID

string

Security Identifier of Kerberos Authenticated request

SmbSessionID

string

The SMB2 SessionId established at SessionSetup time.

SmbStatusCode

string

Status code for SMB in a hex format.

SmbTreeConnectID

string

The SMB TreeConnectID established at TreeConnect time.

SmbVolatileHandleID

string

Volatile HandleID from an SMB2 Create request that is recycled on network reconnects. Referenced in [MS-SMB2] 2.2.14.1 as SMB2_FILEID.Volatile.

SourceSystem

string

The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics

StatusCode

string

The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown.

StatusText

string

The status of the requested operation.

_SubscriptionId

string

A unique identifier for the subscription that the record is associated with

TenantId

string

The Log Analytics workspace ID

TimeGenerated

datetime

The Universal Time Coordinated (UTC) time when the request was received by storage.

TlsVersion

string

The TLS version used in the connection of request.

Type

string

The name of the table

Uri

string

Uniform resource identifier that is requested.

UserAgentHeader

string

The User-Agent header value, in quotes.

File Storage Logs (Control Plane)

The links provided below provide reference to the different types of control plane REST API calls that would be observed within the Azure Activity Log.

Control Plane API: Storage Account

Control Plane API: File Service

Control Plane API: File Share

Control Plane: Azure File Operations:

Control Plane API: File Shares

Control Plane API: Directories

Control Plane API: Files

Github References

These references provide documentation on file monitoring best practices.

Storage File Monitoring Reference:

Storage File Monitoring Reference:

Additional References:

The following references below reference the documentation for Azure Files, the table schema referenced above as well as the error and status message logging for storage analytics.

Monitoring Azure Files

StorageFileLogs Table

Logged Operations That Include Status Messages

Last updated 9 months ago

Azure Storage Resource Provider REST APIMicrosoftLearn
Logo
File Services - REST API (Azure Storage Resource Provider)MicrosoftLearn
Logo
File Shares - REST API (Azure Storage Resource Provider)MicrosoftLearn
Logo
Operations on the FileService resource - Azure FilesMicrosoftLearn
Logo
Operations on the FileShare resource - Azure FilesMicrosoftLearn
Logo
Operations on directories (FileREST API) - Azure FilesMicrosoftLearn
Logo
Operations on files (FileREST API) - Azure FilesMicrosoftLearn
Logo
azure-docs/articles/storage/files/storage-files-monitoring-reference.md at main · MicrosoftDocs/azure-docsGitHub
azure-docs/articles/storage/files/storage-files-monitoring.md at main · MicrosoftDocs/azure-docsGitHub
Monitor Azure Files using Azure MonitorMicrosoftLearn
Logo
Azure Monitor Logs reference - StorageFileLogsMicrosoftLearn
Logo
Storage Analytics logged operations and status messages (REST API) - Azure StorageMicrosoftLearn
Logo
Logo
Logo