Skip to content

Microsoft.Storage/storageAccounts/stopLogging/action

Azure

Microsoft.Storage/storageAccounts/stopLogging/action

service: Azure - Azure Storage
techniques:

Event

Stops logging for an Azure Storage account, disabling the collection of storage analytics logs that record read, write, and delete requests against blob, table, and queue services.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Cloud storage services are frequent targets for data theft, as they often contain sensitive files, backups, and application data.
  • Modifications to logging and monitoring infrastructure can create blind spots that allow adversary activity to go undetected.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud invokes stopLogging on the flcoccamy001 storage account, halting Storage Analytics logging of read/write/delete operations against the storage account’s blob/table/queue services. Combined with the diagnostic-settings deletion earlier in the chain, this fully blinds storage-side telemetry before the destructive container/account deletes.

{
"authorization": {
"action": "Microsoft.Storage/storageAccounts/stopLogging/action",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "saSl226ExampleUtid01",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100011001",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100011010",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T17:39:55.7218411Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001/events/90000000-0000-4000-8000-000100011010/ticks/638798202957218411",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100111010",
"operationName": {
"value": "Microsoft.Storage/storageAccounts/stopLogging/action",
"localizedValue": "Stop Storage Account Logging"
},
"resourceGroupName": "rg-occamy-pipeline",
"resourceProviderName": {
"value": "Microsoft.Storage",
"localizedValue": "Microsoft.Storage"
},
"resourceType": {
"value": "Microsoft.Storage/storageAccounts",
"localizedValue": "Microsoft.Storage/storageAccounts"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T17:39:56.2401872Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-occamy-pipeline/providers/Microsoft.Storage/storageAccounts/flcoccamy001/stopLogging",
"message": "Microsoft.Storage/storageAccounts/stopLogging/action",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...