Azure Activity logs provides insight into any subscription-level or management group level events that have occurred in Azure, there are three main categories covered under Azure Activity and a bunch of resource types, for more details click here:
- Azure Resources
Each event in the Activity Log has a particular category . See the sections below for more detail on each category and its schema when you access the Activity log from the portal, PowerShell, CLI, and REST API. The schema is different when you stream the Activity log to storage or Event Hubs:
|Administrative||Contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of Administrative events include create virtual machine and delete network security group.
Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. Administrative events also include any changes to role-based access control in a subscription.
|Service Health||Contains the record of any service health incidents that have occurred in Azure. An example of a Service Health event SQL Azure in East US is experiencing downtime.
Service Health events come in Six varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security. These events are only created if you have a resource in the subscription that would be impacted by the event.
|Resource Health||Contains the record of any resource health events that have occurred to your Azure resources. An example of a Resource Health event is Virtual Machine health status changed to unavailable.
Resource Health events can represent one of four health statuses: Available, Unavailable, Degraded, and Unknown. Additionally, Resource Health events can be categorized as being Platform Initiated or User Initiated.
|Alert||Contains the record of activations for Azure alerts. An example of an Alert event is CPU % on myVM has been over 80 for the past 5 minutes.|
|Autoscale||Contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. An example of an Autoscale event is Autoscale scale up action failed.|
|Recommendation||Contains recommendation events from Azure Advisor.|
|Security||Contains the record of any alerts generated by Azure Security Center. An example of a Security event is Suspicious double extension file executed.|
|Policy||Contains records of all effect action operations performed by Azure Policy. Examples of Policy events include Audit and Deny. Every action taken by Policy is modeled as an operation on a resource.|
Our hunting library for today will shed more lights on “Administrative” category which contains the record of all create, update, delete, and action operations performed through Resource Manager, this means an auditing & reporting activities have to be in place and hence there are a set of operations (Operation Name) which defines a resource types.
Hunting such kind of activities (aka: Clues) require defining the category, operation name “value” & activity value. Before sharing couple of hunting use-cases let’s have a look at a set of administrative operations as a sample:
|Operation name||Resource type|
|Create or update workbook||Microsoft.Insights/workbooks|
|Set Workflow – Playbook||Microsoft.Logic/workflows|
|Delete Workflow – Playbook||Microsoft.Logic/workflows|
|Create Saved Search||Microsoft.OperationalInsights/workspaces/savedSearches|
|Delete Saved Search||Microsoft.OperationalInsights/workspaces/savedSearches|
|Update Alert – Analytics Rules||Microsoft.SecurityInsights/alertRules|
|Delete Alert – Analytics Rules||Microsoft.SecurityInsights/alertRules|
|Update Alert Rule Response Actions||Microsoft.SecurityInsights/alertRules/actions|
|Delete Alert Rule Response Actions||Microsoft.SecurityInsights/alertRules/actions|
|Update Case Investigation||Microsoft.SecurityInsights/Cases/investigations|
|Create Case Comments||Microsoft.SecurityInsights/Cases/comments|
|Update Data Connectors||Microsoft.SecurityInsights/dataConnectors|
|Delete Data Connectors||Microsoft.SecurityInsights/dataConnectors|
|Update / Delete NSG||Microsoft.Network/networkSecurityGroups|
|Create / Update / Delete Pubic IP Addresses||Microsoft.Network/publicIPAddresses|
|Create / Update / Delete Network Interfaces||Microsoft.Network/networkInterfaces|
|Route tables actions||Microsoft.Network/routeTables|
|Create / Update / Delete Front door web app firewall policies||Microsoft.Network/frontdoorwebapplicationfirewallpolicies|
|DDOS Protection Plans Actions||Microsoft.Network/ddosProtectionPlans|
|Create / Update / Delete Virtual Networks||Microsoft.Network/virtualNetworks|
|Create / Update / Delete Front doors||Microsoft.Network/frontdoors|
|Create / Update / Delete Subnets||Microsoft.Network/virtualNetworks/subnets|
|Create / Update / Delete Application Gateways||Microsoft.Network/applicationGateways|
|Create / Update / Delete Update Virtual Network Peerings||Microsoft.Network/virtualNetworks/virtualNetworkPeerings|
|Firewall Policies Rule Groups Actions||Microsoft.Network/firewallPolicies/ruleGroups|
|Create / Update / Delete Azure Firewalls||Microsoft.Network/azureFirewalls|
|Create / Update / Delete Firewall Policies||Microsoft.Network/firewallPolicies|
|DNS Resources Actions||Microsoft.Network/getDnsResourceReference|
#1 Creating a new Azure Sentinel Analytics – Rule:
AzureActivity | where Category == "Administrative" | where OperationNameValue == "Microsoft.SecurityInsights/alertRules/write" | where ActivitySubstatusValue == "Created"
#2 Deleting an existing Azure Sentinel Analytics – Rule:
AzureActivity | where Category == "Administrative" | where OperationNameValue == "Microsoft.SecurityInsights/alertRules/delete" | where ActivitySubstatusValue == "OK"
#3 Creating a new NSG:
// NSG : 201 Created status means "Created" AzureActivity | where Category == "Administrative" | where OperationNameValue == "Microsoft.Network/networkSecurityGroups/write" | where ActivitySubstatusValue == "Created"
#4 Updating an Existing NSG:
// NSG : 200 Ok status means "Updated" AzureActivity | where Category == "Administrative" | where OperationNameValue == "Microsoft.Network/networkSecurityGroups/write" | where ActivitySubstatusValue == "OK"
#5 Creating Virtual Network Subnets:
// Virtual Networks Subnets Creation AzureActivity | where Category == "Administrative" | where OperationNameValue == "Microsoft.Network/virtualNetworks/subnets/write" | where ActivitySubstatusValue == "Created"
And much more use-cases and hunting queries can be configured, we make it easy so check out the Azure Sentinel Administrative Suspicious Activities Library uploaded to gihub :
Last but not least, how about visualization – reporting via Workbooks ?
@Clive Watson built a new workbook version that shows in a new [Computer] tab the NSG to Computer relationship, as well as items such as Public and Private IP, policy and version (and many more) with lots of search options, check this out and download from:
Enjoy hunting the clues! and please share your feedback.