Monitor Large Amounts of DATA Movements in Azure Storage Account File Shares - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Monday, November 28, 2022

Monitor Large Amounts of DATA Movements in Azure Storage Account File Shares

Azure Monitor
Azure Monitor
Collect, analyze, and act on telemetry data from your cloud and hybrid environments. Azure Monitor supports your operations at scale by helping you maximize the performance and availability of your resources and proactively identify problems.

This post is to summarzie the steps to create a basic alert to monitor the traffic upload/download to/from your Azure storage account.

Azure Monitor Overview

Azure Monitor helps you maximize the availability and performance of your applications and services. It delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. This information helps you understand how your applications are performing and proactively identify issues that affect them and the resources they depend on.

The following diagram gives a high-level view of Azure Monitor.

  • The stores for the data platform are at the center of the diagram. Azure Monitor stores these fundamental types of data: metrics, logs, traces, and changes.
  • The sources of monitoring data that populate these data stores are on the left.
  • The different functions that Azure Monitor performs with this collected data are on the right. This includes such actions as analysis, alerting.
  • At the bottom is a layer of integration pieces. These are actually integrated throughout other parts of the diagram, but that is too complex to show visually.

Diagram that shows an overview of Azure Monitor.

Azre Monitor Cost

Azure Monitor uses consumption-based pricing, which is also known as pay-as-you-go pricing. With this billing model, you only pay for what you use. Features of Azure Monitor that are enabled by default don't incur any charge. These features include collection and alerting on the Activity log and collection and analysis of platform metrics.

Estimate Azure Monitor usage and costs

If you're new to Azure Monitor, use the Azure Monitor pricing calculator to estimate your costs. In the Search box, enter Azure Monitor, and then select the Azure Monitor tile. The pricing calculator helps you estimate your likely costs based on your expected utilization.

The bulk of your costs typically come from data ingestion and retention for your Log Analytics workspaces and Application Insights resources. It's difficult to give accurate estimates for data volumes that you can expect because they'll vary significantly based on your configuration.

A common strategy is to enable monitoring for a small group of resources and use the observed data volumes with the calculator to determine your costs for a full environment.

Alerts in Azure Monitor

Alerts in Azure Monitor proactively notify you of critical conditions and potentially attempt to take corrective action. Alert rules based on metrics provide near-real-time alerts based on numeric values. Rules based on logs allow for complex logic across data from multiple sources.

Alert rules in Azure Monitor use action groups, which contain unique sets of recipients and actions that can be shared across multiple rules. Based on your requirements, action groups can perform such actions as using webhooks to have alerts start external actions or to integrate with your IT service management tools.

Create An Action Group

skip action type and tags setting window

Create Alert Rule


 Received an email when configured Azure Monitor alert was triggered.

At the same time, if you configured your SMS, your cell phone will also get an alert. 

Using Diagnostic Settings to Monitor Files Access

Create a Diagnostic Settings

Configure all Storage Read / Write / Delete logs and Transaction Logs send to a Log Analytics workspace:

If there is no Analytics workspace, create one:

To create an alert like this you can use the following sample query, that can be executed on your Log Analytics Workspace on the “logs” option

| where OperationName == "GetFile"
| where TimeGenerated > ago(1h)

More parameters can be found from

Execute a query:

And once executed the query, you have to click on “New alert rule”, this will open the panel to create a new alert rule.

Choose 500 table rows as a threshhold: 

Configurate Action:

Check the alert rules:

Other query example:

| where OperationName == "Write"
| where TimeGenerated > ago(10m)

No comments:

Post a Comment