Skip to content
Get a Demo
    curve design on left cloud image

    Decoding Logs in the Cloud: Azure Activity Logs

    Continuing with our "Decoding Logs in the Cloud" series, we now turn our focus to Azure Activity Logs. In the previous posts, we covered AWS CloudTrail and VPC Flow Logs. This installment will explore Azure Activity Logs, providing insight into their structure, importance, and practical uses.

    What are Azure Activity Logs?

    Azure Activity logs

     

    Azure Activity Logs provide a comprehensive record of operations and events within your Azure resources. These logs help you monitor activities, diagnose issues, and maintain security across your Azure environment. They capture various types of operations, including create, update, delete, and action activities, providing a clear audit trail of who did what and when.

    Importance of Azure Activity Logs

    Azure Activity Logs are crucial for:

    • Security Monitoring: Detecting unauthorized access and potential security threats.
    • Compliance: Ensuring adherence to regulatory requirements by maintaining detailed logs.
    • Troubleshooting: Investigating and resolving operational issues by analyzing historical data.
    • Operational Insights: Monitoring and analyzing resource usage and changes for better management.

     

    Structure of Azure Activity Logs

    Azure Activity Logs are structured in JSON format and include several key fields that provide detailed information about each logged event. Here are the primary components:

    tenantId: The Azure Active Directory tenant ID.

    subscriptionId: The subscription ID associated with the event.

    eventTimestamp: The timestamp of the event.

    operationName: The name of the operation performed.

    category: The category of the event (e.g., Administrative, Security, ServiceHealth).

    level: The severity level of the event (e.g., Informational, Warning, Error).

    resultType: The result of the operation (e.g., Success, Failed).

    resultSignature: A detailed result code.

    durationMs: The duration of the operation in milliseconds.

    caller: The identity of the caller who initiated the event.

    correlationId: A unique identifier for correlating related events.

    resourceId: The resource ID affected by the event.

    properties: Additional properties related to the event.

     

    Example of an Azure Activity Log Entry

    Here is an example of an Azure Activity Log entry for reference:

    {

      "tenantId": "12345678-1234-1234-1234-123456789abc",

      "subscriptionId": "abcdef12-3456-7890-abcd-ef1234567890",

      "eventTimestamp": "2023-07-21T19:23:45Z",

      "operationName": "Microsoft.Compute/virtualMachines/deallocate/action",

      "category": "Administrative",

      "level": "Informational",

      "resultType": "Success",

      "resultSignature": "Accepted",

      "durationMs": 3456,

      "caller": "user@domain.com",

      "correlationId": "abcdefab-1234-5678-90ab-abcdefabcdef",

      "resourceId": "/subscriptions/abcdef12-3456-7890-abcd-ef1234567890/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM",

      "properties": {

        "statusCode": "Accepted",

        "statusMessage": "The operation was accepted for processing."

      }

    }

    Analyzing Azure Activity Logs

    To effectively utilize Azure Activity Logs, you can:

    1. Centralize Logging: Store logs in Azure Monitor, Azure Storage, or Azure Event Hubs for centralized access and analysis.
    2. Automate Monitoring: Set up alerts and automated actions using Azure Monitor to respond to specific log events.
    3. Visualize Data: Use Azure dashboards, Power BI, or third-party tools to visualize and analyze activity log data.

    The Cado Platform

    Cado Security empowers security teams to get to the bottom of what happened faster. With Cado, what used to take analysts days, now takes minutes. Automate data collection. Process data at cloud speed. Analyze with purpose. No confusion, no complexity.

    Collect From Anywhere: whether it's a multi-cloud, container-based, serverless, SaaS, or on-premises set up. Automatically capture hundreds of data sources across cloud-provider logs, disk, memory, and more. No agent required means zero impact to production systems.

    Cloud Native: Cado deploys natively within your cloud environment to ensure your unique data privacy requirements are met. You choose: deploy in AWS, GovCloud, Azure, or GCP in minutes, decreasing time to investigation and eliminating egress costs.

    Powerful Analytics: Collected data is enriched using third-party and proprietary threat intelligence. Key incident details such as root cause, compromised roles and assets, and a complete timeline of events are automatically surfaced.
     

    Azure Activity Logs provide essential insights into the operations and events occurring within your Azure environment. By understanding their structure and significance, you can enhance your cloud infrastructure's security, compliance, and operational efficiency.

     

    Tag(s): Cloud DFIR

    More from the blog

    View All Posts