The issue revolves around Azure Data Lake Storage, there has been an user who has been modifying permissions in the ACL's folders and we need to find a way to know who that is. what i'm trying to do is in the Storage Accounts section from Azure Portal in Monitoring>Logs do some kusto queries (for the Azure Tables that i think might have the information) to find the user changes but no matter the time range i pick there is no data provided at all
This are the queries:
StorageBlobLogs
| where TimeGenerated >= ago(24h) // Filter logs from the last 24 hours (adjust as needed)
| where OperationName == "Set Blob Service Properties" and Type == "SetAcl" // Filter for permission modification events
| project TimeGenerated, CallerIpAddress, OperationName, ObjectKey, RequesterUpn, RequesterTenantId, UserAgentHeader
AzureActivity
| where Category == "AuditLogs" and ResourceProvider == "MICROSOFT.DATALAKESTORE" and TimeGenerated <= ago(24h) and OperationName == "Set Access Control"
| project TimeGenerated, Caller, CallerIpAddress, ResourceId, ResourceGroup, OperationName, Level, ActivityStatus, Authorization_d, Resource, CorrelationId
The other think is that it might have some kind of data retention policy and that's why nothing happens, if so someone knows how to change that?
if there is another way to check and even be notified if someone changes the ACLs please let me know
Thanks!