Continuing with our "Decoding Logs in the Cloud" series, we now turn our focus to Azure Activity Logs. In the previous posts, we covered AWS CloudTrail and VPC Flow Logs. This installment will explore Azure Activity Logs, providing insight into their structure, importance, and practical uses.
Azure Activity logs
Azure Activity Logs provide a comprehensive record of operations and events within your Azure resources. These logs help you monitor activities, diagnose issues, and maintain security across your Azure environment. They capture various types of operations, including create, update, delete, and action activities, providing a clear audit trail of who did what and when.
Azure Activity Logs are crucial for:
Azure Activity Logs are structured in JSON format and include several key fields that provide detailed information about each logged event. Here are the primary components:
tenantId: The Azure Active Directory tenant ID.
subscriptionId: The subscription ID associated with the event.
eventTimestamp: The timestamp of the event.
operationName: The name of the operation performed.
category: The category of the event (e.g., Administrative, Security, ServiceHealth).
level: The severity level of the event (e.g., Informational, Warning, Error).
resultType: The result of the operation (e.g., Success, Failed).
resultSignature: A detailed result code.
durationMs: The duration of the operation in milliseconds.
caller: The identity of the caller who initiated the event.
correlationId: A unique identifier for correlating related events.
resourceId: The resource ID affected by the event.
properties: Additional properties related to the event.
Here is an example of an Azure Activity Log entry for reference:
{
"tenantId": "12345678-1234-1234-1234-123456789abc",
"subscriptionId": "abcdef12-3456-7890-abcd-ef1234567890",
"eventTimestamp": "2023-07-21T19:23:45Z",
"operationName": "Microsoft.Compute/virtualMachines/deallocate/action",
"category": "Administrative",
"level": "Informational",
"resultType": "Success",
"resultSignature": "Accepted",
"durationMs": 3456,
"caller": "user@domain.com",
"correlationId": "abcdefab-1234-5678-90ab-abcdefabcdef",
"resourceId": "/subscriptions/abcdef12-3456-7890-abcd-ef1234567890/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM",
"properties": {
"statusCode": "Accepted",
"statusMessage": "The operation was accepted for processing."
}
}
To effectively utilize Azure Activity Logs, you can:
Cado Security empowers security teams to get to the bottom of what happened faster. With Cado, what used to take analysts days, now takes minutes. Automate data collection. Process data at cloud speed. Analyze with purpose. No confusion, no complexity.
Collect From Anywhere: whether it's a multi-cloud, container-based, serverless, SaaS, or on-premises set up. Automatically capture hundreds of data sources across cloud-provider logs, disk, memory, and more. No agent required means zero impact to production systems.
Cloud Native: Cado deploys natively within your cloud environment to ensure your unique data privacy requirements are met. You choose: deploy in AWS, GovCloud, Azure, or GCP in minutes, decreasing time to investigation and eliminating egress costs.
Powerful Analytics: Collected data is enriched using third-party and proprietary threat intelligence. Key incident details such as root cause, compromised roles and assets, and a complete timeline of events are automatically surfaced.
Azure Activity Logs provide essential insights into the operations and events occurring within your Azure environment. By understanding their structure and significance, you can enhance your cloud infrastructure's security, compliance, and operational efficiency.