Azure Container Registry (ACR) Audit Logs

Cloud & SaaSCloud InfrastructureCloud Control PlaneSIEM / Log Aggregator

Location

Azure Monitor diagnostic settings for Microsoft.ContainerRegistry/registries

Description

Audit and access logs for Azure Container Registry operations including image push and pull events, repository listing, token use, webhook changes, authentication failures, and registry configuration updates.

Forensic Value

ACR logs reveal supply-chain and workload-staging abuse around AKS and other containerized platforms. Unauthorized image pulls can show attacker reconnaissance of private repositories. Malicious image pushes or tag changes can explain how compromised workloads were introduced. Registry authentication failures and token use help identify abused service principals or workload identities tied to cluster operations.

Tools Required

Azure MonitorAzure CLIKQLSIEM (Sentinel / Log Analytics)

Collection Commands

az CLI

az monitor diagnostic-settings list --resource <acr-resource-id>

KQL

AzureDiagnostics | where TimeGenerated > ago(30d) | where ResourceProvider == "MICROSOFT.CONTAINERREGISTRY" | project TimeGenerated, OperationName, CallerIPAddress, identity, Repository, Tag

KQL

AzureActivity | where TimeGenerated > ago(30d) | where ResourceProvider has "Microsoft.ContainerRegistry" | project TimeGenerated, OperationNameValue, Caller, CallerIpAddress, ActivityStatusValue

MITRE ATT&CK Techniques

T1525T1552T1550.001

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical