All Guides

Secret Scanning in Azure Monitor Logs: The Overlooked Attack Surface

By the Netallion AI Assurance Team

April 28, 2026 8 min read

Azure Monitor is the telemetry backbone of Azure-native organizations. Application Insights captures traces, exceptions, and custom events. Azure Diagnostics records resource-level operations. Log Analytics workspaces aggregate millions of entries daily into a queryable store that operations teams rely on for debugging, performance monitoring, and incident response. This telemetry is essential for running production systems. It is also one of the largest unmonitored surfaces for secret exposure in the enterprise.

1. Why Secrets End Up in Logs

Secrets appear in logs through multiple pathways, most of them unintentional. Understanding these pathways is essential for both detection and prevention:

Debug Logging

When a production incident occurs, developers often increase the logging verbosity to diagnose the issue. Verbose logging may capture the full HTTP request and response including authorization headers, query parameters containing API keys, and request bodies with embedded credentials. After the incident is resolved, the verbose logging may remain enabled for days or weeks, continuously writing secrets to the log pipeline.

Error Messages and Stack Traces

When an application fails to authenticate to a service, the error message often includes the credential that was rejected. Connection string parsing errors expose the full connection string including embedded passwords. OAuth token refresh failures may log the client secret or refresh token in the exception details. These exceptions flow into Application Insights automatically through the SDK's unhandled exception capture.

Connection Strings in Configuration

Azure services frequently use connection strings that embed credentials. A storage account connection string includes the account key. A Service Bus connection string includes the SAS token. An Event Hub connection string includes the shared access key. When these connection strings are logged as part of application startup, configuration validation, or health check output, the embedded credentials are exposed.

Infrastructure-as-Code Deployment Logs

ARM template and Bicep deployments can log parameter values, including those marked as secure strings, when deployment failures occur. Terraform state operations logged through Azure DevOps pipelines may include sensitive outputs. These deployment logs persist in Azure Monitor and contain credentials that were intended to be transient.

# Common secret patterns found in Azure Monitor logs

- Azure Storage account keys

- SQL Server connection strings with passwords

- Service Bus / Event Hub SAS tokens

- Azure AD client secrets

- Bearer tokens in HTTP headers

- API keys in query parameters

- Cosmos DB primary keys

- Redis access keys

- SMTP credentials in email service configs

2. The Scale of the Problem

A mid-sized Azure-native organization with 50 application services may generate 10 to 50 million log entries per day across Application Insights and Log Analytics workspaces. In our analysis of enterprise Azure Monitor deployments, we consistently find that 0.01% to 0.05% of log entries contain at least one secret or credential. That translates to 1,000 to 25,000 secret exposures per day in a single organization's logs.

Unlike secrets committed to a code repository, secrets in logs are actively in use by production systems at the time they are logged. A secret found in an Azure Monitor log is not just a potential risk. It is a confirmed active credential being processed by a running application. This makes log-based secret exposure fundamentally more dangerous than code-based exposure.

Log retention compounds the problem. Default Log Analytics retention is 30 days, but many organizations configure 90-day or 365-day retention for compliance purposes. Every exposed secret persists in the log store for the entire retention period, accessible to anyone with Log Analytics reader permissions.

3. Why No Other Tool Scans Azure Monitor

The secret detection market has focused on three surfaces: code repositories, CI/CD pipelines, and SaaS applications. No mainstream security vendor offers Azure Monitor log scanning for secrets. The reasons are both technical and commercial:

  • Volume — Scanning millions of log entries per day requires a detection engine optimized for throughput, not just accuracy. Most secret scanners are designed for file-based scanning at commit time, not streaming log analysis.
  • Structure — Log entries have heterogeneous formats. A single Log Analytics workspace may contain data from dozens of sources, each with different schemas. The scanner must handle structured JSON, semi-structured key-value pairs, and unstructured text within the same pipeline.
  • Access model — Azure Monitor requires Azure AD authentication and specific RBAC permissions. Integrating with Log Analytics workspaces requires understanding KQL (Kusto Query Language), workspace configuration, and the Azure Monitor data model.
  • Market focus — Secret detection vendors have prioritized the developer workflow (pre-commit, PR checks, repository scanning) because that is where buyers currently expect protection. Log scanning is seen as adjacent to SIEM functionality, creating a gap where neither secret detection vendors nor SIEM vendors cover the use case.

4. What We Find in Azure Monitor Logs

Based on scans across enterprise Azure Monitor deployments, the most common secret types found in logs are:

Secret TypeFrequency
Azure Storage account keysVery common
SQL connection strings with passwordsVery common
Bearer tokens in HTTP tracesCommon
SAS tokens (Service Bus, Event Hub, Storage)Common
Azure AD client secretsModerate
Cosmos DB primary keysModerate
Third-party API keysModerate
SMTP credentialsLess common

Live verifiers confirm whether discovered secrets are still active. In our experience, 60% to 80% of secrets found in Azure Monitor logs are still valid at the time of detection. This is significantly higher than the 20% to 30% active rate typically seen in code repository scanning, because log entries capture secrets at the moment they are being used by production systems.

5. How Netallion AI Assurance's Azure Monitor Connector Works

The Azure Monitor connector is a core integration in Netallion AI Assurance, designed from the ground up for high-throughput log scanning:

  • Workspace connection — Connects to one or more Log Analytics workspaces via Azure AD app registration with Log Analytics Reader permissions. No agent installation required.
  • KQL-optimized queries — Uses optimized KQL queries to efficiently retrieve log batches from Application Insights traces, exceptions, custom events, and diagnostic logs.
  • 497 detection patterns — Scans every log entry against 497 secret and sensitive data patterns. BPE tokenization analysis catches generic secrets that pattern-based detection misses.
  • 20 live verifiers — Automatically verifies whether detected secrets are still active by testing them against their respective APIs. Active secrets are flagged as critical priority.
  • Deduplication — Intelligently deduplicates findings when the same secret appears across multiple log entries, presenting a single finding with the full timeline of exposures.
  • One-click remediation — Rotate exposed Azure Storage keys, regenerate SAS tokens, revoke Azure AD client secrets, and reset database passwords directly from the findings dashboard.

6. Setup Guide

Step 1: Create an Azure AD app registration

Register a new application in Azure AD for Netallion AI Assurance. No redirect URI is needed as this uses client credential authentication.

Step 2: Grant Log Analytics Reader permissions

Assign the Log Analytics Reader role to the app registration at the workspace or resource group level. This grants read-only access to log data.

Step 3: Configure the connector in Netallion AI Assurance

Navigate to Settings → Connectors → Azure Monitor. Enter your tenant ID, client ID, client secret, and workspace ID. Test the connection to verify access.

Step 4: Configure scan schedule

Set the scan interval (default: every 15 minutes). Configure which log tables to scan. We recommend starting with AppTraces, AppExceptions, and AppRequests.

Step 5: Review initial findings

The first scan typically completes within minutes. Review findings on the dashboard. Prioritize verified active secrets for immediate remediation.

The entire setup process takes under 15 minutes. Most organizations see their first findings within the initial scan cycle. We recommend running a historical backfill scan covering the full retention period of your Log Analytics workspace to identify secrets that may have been exposed for weeks or months.

7. Reducing Log Exposure at the Source

Detection and remediation are critical, but prevention reduces the volume of exposures over time. Implement these practices to reduce secrets in logs at the source:

  • Structured logging — Use structured logging frameworks that separate message templates from parameter values. Configure sensitive parameters to be redacted automatically.
  • Log sanitization middleware — Add middleware to your logging pipeline that scans for secret patterns before entries are written. This catches secrets at the application layer before they reach Azure Monitor.
  • Application Insights telemetry processors — Use ITelemetryProcessor implementations to redact sensitive values from traces, exceptions, and custom events before they are sent to Application Insights.
  • Managed identities — Replace connection strings and API keys with Azure Managed Identities wherever possible. Managed identities eliminate static credentials entirely, removing the possibility of logging them.
  • Verbosity controls — Implement automatic log level reduction. If verbose logging is enabled for debugging, automatically revert to standard logging after a configurable timeout (e.g., 30 minutes).

// Example: C# telemetry processor for redaction

public class SecretRedactionProcessor

: ITelemetryProcessor

{

public void Process(ITelemetry item)

{

if (item is TraceTelemetry trace)

trace.Message = Redactor.Redact(trace.Message);

if (item is ExceptionTelemetry ex)

ex.Message = Redactor.Redact(ex.Message);

}

}

8. Closing the Gap

Azure Monitor log scanning is not optional for organizations that take secret security seriously. If you are scanning code repositories and pull requests but not scanning your logs, you are protecting the development workflow while leaving the production environment exposed. Secrets in logs are active, verified, and persistent. They represent the highest risk category of secret exposure because they confirm that the credential is in production use.

Start with a single Log Analytics workspace. Connect it to Netallion AI Assurance. Review what you find. The results will make the case for expanding coverage to every workspace in your environment.

Related Guides

Non-Human Identity Lifecycle Management Guide →How to Secure GitHub Copilot in Your Organization →EU AI Act Compliance Checklist for AI-Powered Applications →

Scan your Azure Monitor logs for secrets

Start a 14-day Business trial of Netallion AI Assurance. Connect your first Log Analytics workspace in under 15 minutes.

Start Free Trial