Azure Activity Logs

Cloud & SaaSCloud InfrastructureCloud Control PlaneSIEM / Log Aggregator

Location

Azure Portal > Monitor > Activity Log (or az monitor activity-log list)

Description

Subscription-level logs recording control-plane operations against Azure resources including resource creation/deletion, role assignments, policy changes, and deployment operations with caller identity and IP address.

Forensic Value

Activity logs expose infrastructure-level attacks in Azure environments. Key indicators include unexpected VM creation (cryptomining or pivot hosts), storage account access key regeneration (preparation for data exfiltration), NSG rule modifications (opening inbound RDP/SSH), and resource lock deletions (preparing for resource destruction). The caller IP and identity fields tie actions to specific compromised accounts.

Tools Required

Azure PortalAzure CLI (az monitor activity-log)PowerShell (Az module)Microsoft Graph API

Collection Commands

az CLI

az monitor activity-log list --start-time 2024-01-01T00:00:00Z --end-time 2024-01-31T23:59:59Z --output json > azure_activity.json

PowerShell

Get-AzActivityLog -StartTime (Get-Date).AddDays(-90) -EndTime (Get-Date) | Export-Csv azure_activity_log.csv -NoTypeInformation

az CLI

az monitor activity-log list --resource-group <rg-name> --start-time 2024-01-01T00:00:00Z --query "[?authorization.action=='Microsoft.Compute/virtualMachines/write']" --output json > vm_changes.json

MITRE ATT&CK Techniques

T1578T1580T1098T1562.001T1078.004

Related Blockers

Exploitation of Unknown or Unpatched Vulnerability

The initial access vector appears to be a zero-day or otherwise unpatched vulnerability with no public advisory, CVE, or patch available. Signature-based detection misses the exploit; response must pivot to behavioral hunting, exploit-chain hypothesis, and vendor/CERT coordination to accelerate disclosure and mitigation.

Cloud or Container Logging Coverage Missing

The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.

Evidence Spans Multiple Jurisdictions with Conflicting Laws

Affected systems or data span multiple countries with differing data-protection, breach-notification, and cross-border transfer laws (GDPR, data-residency rules, PIPL, LGPD, state-level US laws). Acquisition and analysis that is lawful in one jurisdiction may be unlawful in another. Engage legal counsel early and plan in-region processing.