Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
What Azure storage service has the User-Agent tag of 'services_xstore_transport_HTTP2/1.0'
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 94%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKF%3C/text%3E%3C/svg%3E)
Kif F
0
Reputation points
Does anyone know what service is generating these logs on a GRS storage account? I'm assuming this is Azure backend replication, but these events only started happening less than 48 hours ago.
I've been looking at logs and this has been alerting due to coming from an unknown private IP address, based on key authentication, accessing what should be a restricted file share.
Below is the KQL query on the storage account logs
StorageFileLogs
| order by TimeGenerated desc
| where CallerIpAddress !contains "<Internal CIDR>"
| where AuthenticationHash !contains 'system-1'
| project TimeGenerated, AuthenticationType, StatusCode, CallerIpAddress, UserAgentHeader
These are the results, across a range of IPs. This screenshot shows 100.75.x.y, but there have also been 10.x.y.z IP addresses which don't belong to our internal network environment (either in Azure or otherwise).
Azure Storage
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 52%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Venkatesan S 1,165 Reputation points Microsoft External Staff Moderator2025-12-12T01:36:00.0233333+00:00 Hi Kif F,
Thanks for posting question in Microsoft Q&A forum,
Could you please extend your KQL query to include
OperationNameandStatusTextfields?StorageFileLogs | order by TimeGenerated desc | where CallerIpAddress !contains "<Internal CIDR>" | where AuthenticationHash !contains "system-1" | project TimeGenerated, OperationName, StatusText, AuthenticationType, StatusCode, CallerIpAddress, UserAgentHeaderOnce you run it, could you also share the
OperationNameandStatusTextvalue that appears in your environment?
Sign in to comment
Sign in to answer