Azure Files
Create monitoring plans for Azure Files to track file and folder changes across your Azure storage accounts
Prerequisites
- Azure Application registered with required permissions
- Diagnostic Settings configured for storage accounts
- Azure Files Configuration completed
Create Monitoring Plan
Step 1: Create New Monitoring Plan
- In the Netwrix Auditor, go to Home > Monitoring Plans > + Add Plan
- Select Azure Files
- Configure:
- Audit database (SQL)
- Notifications (SMTP or Exchange Online)
- Plan name and description
- Select Add item now
Step 2: Add Item for Monitoring
- Option A – Storage Account → Enter Storage Account Name, Subscription ID, Tenant Name, Application ID, Application Secret
- Option B – Subscription → Enter Subscription Name, Subscription ID, Tenant Name, Application ID, Application Secret
Tip: If you have multiple storage accounts, use the subscription option for easier management
Step 3: Configure Monitoring Scope and Actions
- 
In the Netwrix Auditor, double-click your Azure Files plan 
- 
Enable Monitor this data source and collect activity data 
- 
Select actions: - 
Changes (Success/Fail) → Track file creation, modification, deletion, and failed attempts - Successful - Use this option to track changes to your data. It helps to find out who made changes to your files, including their creation and deletion
- Failed - Use this option to detect suspicious activity on Azure Files. It helps to identify potential intruders who tried to modify or delete files, etc., but failed to do it
 
- 
Read Access (Success/Fail) → Track file reads and unauthorized read attempts - Successful - Show successful attempts to read files
- Failed - Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification.Enabling this option on public shares will result in a high number of events generated on Azure Files and the amount of data written to the Long-Term Archive
 
 
- 
Note: Enabling read access auditing on public shares may generate high event volume
Tip: Only enable read auditing where compliance requires it (e.g., HR, Finance)
- Add exclusions → e.g., service accounts that produce excessive logs
- Monitored object types - Select from:
- Files
- Folders
- Shares
- Monitored actions - Configure which file operations to track
Step 5: Test Connection
Click Test Connection to verify:
- Azure Active Directory authentication
- Storage account access
- Audit log collection
Next Steps
After creating the monitoring plan:
- Verify data collection is working
- Configure reports as needed
- Set up alerts for important events
For configuration requirements, see Azure Files Configuration