Skip to content

Commit e8ee3b5

Browse files
Court72Court72
authored
Merge pull request #114318 from Amrinder-Singh29/patch-80
Update blob-storage-monitoring-scenarios.md
2 parents 2c149b8 + c0d325a commit e8ee3b5

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

articles/storage/blobs/blob-storage-monitoring-scenarios.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -124,9 +124,12 @@ For the "when" portion of your audit, the `TimeGenerated` field shows when the l
124124
For the "what" portion of your audit, the `Uri` field shows the item was modified or read.
125125

126126
For the "how" portion of your audit, the `OperationName` field shows which operation was executed.
127-
127+
> [!TIP]
128+
> For example, if you suspect that a blob or container has been deleted by mistake, then add a `where` clause that returns only log entries where the `OperationName` is set to either [Delete blob](/rest/api/storageservices/delete-blob) or [Delete Container](/rest/api/storageservices/delete-container).
128129
For the "who" portion of your audit, `AuthenticationType` shows which type of authentication was used to make a request. This field can show any of the types of authentication that Azure Storage supports including the use of an account key, a SAS token, or Azure Active Directory (Azure AD) authentication.
129130

131+
If the request is authorized by using Azure AD, you can use the `RequestObjectId` field to identify the "who". Shared Key and SAS authentication provide no means of auditing individual identities. In those cases, the `callerIPAddress` and `userAgentHeader` fields might help you to identify the source of the operation. If a SAS token was used to authorize an operation, you can identify that token, and if you've mapped tokens to token recipients at your end, you can identify which user, organization, or application has performed the operation. See [Identifying the SAS token used to authorize a request](#identifying-the-sas-token-used-to-authorize-a-request).
132+
130133
#### Identifying the security principal used to authorize a request
131134

132135
If a request was authenticated by using Azure AD, the `RequesterObjectId` field provides the most reliable way to identify the security principal. You can find the friendly name of that security principal by taking the value of the `RequesterObjectId` field, and searching for the security principal in Azure AD page of the Azure portal. The following screenshot shows a search result in Azure AD.

0 commit comments

Comments
 (0)