What log can I use to determine Storage Account Access Key Dumping. According to the Microsoft doc (https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-1/)
There should be a log created for this. However, in practice when replicating the actions I cannot see a log produced that shows I have revealed the secret key.
To reproduce this:
Visit a storage account and go to the Access Keys (Do NOT press the show button)
Visit a different storage account, go to the Access Keys and press the show button
- I havent been able to test if the logging results are different if
'Get-AzStorageAccountKey'is used, however, i think it will be identical to using the azure portal.
When observing the logs, the two activities are identical from what I can see. This makes it difficult to determine who has actually viewed the key or copied it.
AzureActivity
| where TimeGenerated > ago(90d)
| where OperationNameValue contains 'MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS'
| summarize make_set(ActivityStatusValue) by Caller, Resource
What modification to the KQL or other log source can I use to determine this activity?
No such differntiating logs AFAIK, Using the logs of the storage account azure activity query, one cannot determine if a caller has copied/showed/just visited the section of access key. It gives same identical logs for all 3 actions as below:
And another thing if you are visiting access keys page, then you can open or see the keys(even you do not see or copy key ), so the logs are stored in that manner that you have list the keys.
AFAIK, there is no logging about this information.