Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home KQL

Azure Sentinel Analytics Rule to Keep Track of Cloud Shell

Azure Sentinel News Editor by Azure Sentinel News Editor
December 29, 2020
in KQL
0
Enriching Windows Security Events with Parameterized Function
3.1kViews
882 Shares Share on Facebook Share on Twitter

I’ve been asked several times for the ability to use Azure Sentinel to keep track of who is executing Azure Cloud Shell. So, I finally put together a quick Analytics Rule that will identify when Cloud Shell is run and report on the user and IP address used. It definitely still needs to be tuned somewhat, but works, as is.

The IP Address captured relates directly to the Azure datacenter/region Cloud Shell is run from, but it’s still useful to know in some cases. The user is the important piece.

//KQL for Analytics Rule to track Cloud Shell Execution

AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| where ActivityStatusValue == "Started"
| extend action_ = tostring(parse_json(Authorization).action) 
| summarize count() by ResourceGroup  , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue,  CategoryValue , action_
| extend AccountCustomEntity = Caller
| extend IPCustomEntity = CallerIpAddress

Grab the most current version from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/AR-CloudShellExecution.txt

If you decide to use it as an Analytics Rule, I recommend grouping the alerts in the following manner:

For scheduling, I run the Rule every day, looking through the last day’s worth of logs.

I also recommend that if you want to use this for simple reporting it would actually be better to integrate it into a Workbook visual.

Cloud Shell in a Workbook

Reference: https://azurecloudai.blog/2020/08/13/azure-sentinel-analytics-rule-to-keep-track-of-cloud-shell/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
KQL

New Azure Sentinel Learning Modules Released

February 1, 2021
What’s new: Microsoft Teams connector in Public Preview
KQL

How to Connect the New Intune Devices Log Azure Sentinel

January 26, 2021
What’s new: Microsoft Teams connector in Public Preview
KQL

How to Create a Backup Notification in the Event an Unauthorized User Accesses Azure Sentinel

January 11, 2021
Next Post
Microsoft announces security, identity, management, and compliance updates across Azure and Office

Updated Azure Sentinel Workbook: MITRE ATTACK Framework Reference

Microsoft announces security, identity, management, and compliance updates across Azure and Office

KQL Methods to Display a Per-Day Occurrence in Azure Sentinel

Microsoft introduces integrated Darktrace-a-like, Azure Sentinel

Download and Backup Your Azure Sentinel Playbooks

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft renames and unifies more products under Microsoft Defender brand

Microsoft renames and unifies more products under Microsoft Defender brand

4 months ago
Aggregating Insider Risk Management Information via Azure Sentinel

Aggregating Insider Risk Management Information via Azure Sentinel

6 months ago
Microsoft suspends 18 Azure accounts tied to China-based hackers

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

3 weeks ago
Enriching Windows Security Events with Parameterized Function

Monitoring Azure Kubernetes Service (AKS) with Azure Sentinel

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Trending

What’s new: Microsoft Teams connector in Public Preview
AI & ML

Azure Sentinel Weekly Newsletter

by Azure Sentinel News Editor
March 1, 2021
0

I’ve sensed this for a while now, but a few days ago it really hit me —...

What’s new: Microsoft Teams connector in Public Preview

How to Generate Azure Sentinel Incidents for Testing

February 26, 2021
What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • Azure Sentinel Weekly Newsletter March 1, 2021
  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News