Azure Activity¶
About¶
Azure Monitor is a comprehensive monitoring solution for collecting, analyzing, and responding to monitoring data from your cloud and on-premises environments. You can use Azure Monitor to maximize the availability and performance of your applications and services. It helps you understand how your applications are performing and allows you to manually and programmatically respond to system events.
Azure Monitor collects and aggregates the data from every layer and component of your system across multiple Azure and non-Azure subscriptions and tenants. It stores it in a common data platform for consumption by a common set of tools that can correlate, analyze, visualize, and/or respond to the data. You can also integrate other Microsoft and non-Microsoft tools.
Product Details¶
Product Type: Data Management
Product Tier: Tier III
Integration URL: Microsoft Azure Activity Documentation
Integration Method: API
Log Guide: Azure Activity Log event schema
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 99%-100%
Data Label: AZURE_ACTIVITY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| callerIpAddress | principal.ip |
| category | security_result.category_details |
| correlationId | security_result.detection_fields |
| incomingTokenType | additional.fields |
| Level | security_result.severity_details |
| location | target.location.name |
| operationName | metadata.product_event_type |
| properties.location.city | principal.location.city |
| properties.location.countryOrRegion | principal.location.country_or_region |
| properties.location.geoCoordinates.latitude | principal.location.region_latitude |
| properties.location.geoCoordinates.longitude | principal.location.region_longitude |
| properties.location.state | principal.location.state |
| properties.resourceDisplayName | target.resource.name |
| properties.riskDetail | security_result.summary |
| properties.riskState | security_result.outcomes |
| properties.servicePrincipalId | principal.user.userid |
| resultSignature | additional.fields |
| resultType | additional.fields |
| resultType | security_result.action |
| tenantId | metadata.product_deployment_id |
| time | metadata.event_timestamp |
| tokenIssuerType | additional.fields |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/RESTOREPOINTS/DELETE | RESOURCE_DELETION |
| MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/RESTOREPOINTS/RETRIEVESASURIS/ACTION | RESOURCE_READ |
| MICROSOFT.COMPUTE/RESTOREPOINTCOLLECTIONS/RESTOREPOINTS/WRITE | RESOURCE_WRITTEN |
| MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION | RESOURCE_READ |
| MICROSOFT.COMPUTE/SNAPSHOTS/DELETE | RESOURCE_DELETION |
| MICROSOFT.COMPUTE/SNAPSHOTS/ENDGETACCESS/ACTION | RESOURCE_DELETION |
| MICROSOFT.COMPUTE/SNAPSHOTS/WRITE | RESOURCE_WRITTEN |
| MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/WRITE | USER_RESOURCE_CREATION |
| Microsoft.Resourcehealth/healthevent/InProgress/action | STATUS_STARTUP |
| MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/WRITE | RESOURCE_CREATION |
| Microsoft.Security/locations/alerts/activate/action | STATUS_STARTUP |
| Microsoft.Sql/servers/write | RESOURCE_WRITTEN |
| MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTACCOUNTSAS/ACTION | RESOURCE_READ |
| MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTKEYS/ACTION | RESOURCE_READ |
| MICROSOFT.STORAGE/STORAGEACCOUNTS/LISTSERVICESAS/ACTION | RESOURCE_READ |
| Sign-in activity | USER_LOGIN |
Log Sample¶
{"Level":4,"callerIpAddress":"10.22.160.14","category":"ServicePrincipalSignInLogs","correlationId":"01234567-c0b3-4b8a-8874-a3bf2257b021","durationMs":0,"location":"US","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appId":"01234567-08a0-4245-a1ba-5eef24d274f7","appServicePrincipalId":null,"appliedConditionalAccessPolicies":[{"conditionsNotSatisfied":8192,"conditionsSatisfied":1035,"displayName":"Service Principal Block","enforcedGrantControls":["Block"],"enforcedSessionControls":[],"excludeRulesSatisfied":[],"id":"9c2f0aa7-cded-40fa-bea0-b2055bf9e061","includeRulesSatisfied":[{"conditionalAccessCondition":1,"ruleSatisfied":"allApps"},{"conditionalAccessCondition":8,"ruleSatisfied":"allLocations"}],"result":"reportOnlyNotApplied"}],"authenticationProcessingDetails":[],"authenticationProtocol":"none","clientCredentialType":"none","conditionalAccessAudiences":[{"applicationId":"01234567-5f11-4dd9-bef3-692475845e77","audienceReasons":"firstPartyResourceDefault"}],"conditionalAccessStatus":"notApplied","correlationId":"01234567-c0b3-4b8a-8874-a3bf2257b021","createdDateTime":"2024-09-20T19:15:50.1178699+00:00","crossTenantAccessType":"none","federatedCredentialId":"","flaggedForReview":false,"id":"01234567-4771-4be8-b57e-d35691c82f00","incomingTokenType":"none","ipAddress":"10.22.160.14","isInteractive":false,"isTenantRestricted":false,"isThroughGlobalSecureAccess":false,"location":{"city":"Columbus","countryOrRegion":"US","geoCoordinates":{"latitude":39.99557876586914,"longitude":-82.99945831298828},"state":"Ohio"},"originalTransferMethod":"none","processingTimeInMilliseconds":0,"resourceDisplayName":"Microsoft.EventHubs","resourceId":"01234567-5f11-4dd9-bef3-692475845e77","resourceServicePrincipalId":"c2b037ae-6847-4865-aa56-52ec2e9ce6d3","riskDetail":"none","riskLevelAggregated":"low","riskLevelDuringSignIn":"low","riskState":"none","servicePrincipalCredentialKeyId":"7002e038-10b1-4db5-8281-b00ab96a9074","servicePrincipalCredentialThumbprint":"E81E3C172ED8BB0A49D15EAFAD4CE0834DD85D64","servicePrincipalId":"01234567-cf81-47ea-96e2-d8cfbf488a93","servicePrincipalName":"wiz-01234567-460b-4f22-b482-c1bb0697567f","signInTokenProtectionStatus":"none","status":{"errorCode":0},"tokenIssuerType":"AzureAD","uniqueTokenIdentifier":"SM97_nFH6Eu1ftNWkcgvAA","userId":null},"resourceId":"/tenants/01234567-2b75-4762-ae08-11de584d8e83/providers/Microsoft.aadiam","resultSignature":"None","resultType":"0","tenantId":"01234567-2b75-4762-ae08-11de584d8e83","time":"2024-09-20T19:17:30.7833619Z"}
Sample Parsing¶
```text additional.fields["incomingTokenType"] = "none" additional.fields["resultSignature"] = "None" additional.fields["resultType"] = "0" additional.fields["tokenIssuerType"] = "AzureAD" extensions.auth.type = "MACHINE" metadata.event_timestamp = "2024-09-20T19:17:30.000Z" metadata.event_type = "USER_LOGIN" metadata.product_deployment_id = "01234567-2b75-4762-ae08-11de584d8e83" metadata.product_event_type = "Sign-in activity" principal.ip = "10.22.160.14" principal.location.city = "Columbus" principal.location.country_or_region = "US" principal.location.region_latitude = "39.99558" principal.location.region_longitude = "-82.99946" principal.location.state = "Ohio" principal.user.userid = "01234567-cf81-47ea-96e2-d8cfbf488a93" security_result.action = "ALLOW" security_result.category_details = "ServicePrincipalSignInLogs" security_result.detection_fields.key[0] = "correlationId" security_result.detection_fields.value[0] = "01234567-c0b3-4b8a-8874-a3bf2257b021" security_result.detection_fields.key[1] = "riskState" security_result.detection_fields.value[1] = "none" security_result.severity = "INFORMATIONAL" security_result.severity_details = "4" security_result.summary = "none" target.cloud.environment = "MICROSOFT_AZURE" target.location.name = "US" target.resource.name = "Microsoft.EventHubs" target.resource.resource_subtype = "STORAGE_BUCKET" ````
Rules¶
Coming Soon