Azure Activity Logs
Cloud & SaaSCloud InfrastructureCloud Control PlaneSIEM / Log Aggregator
Location
Azure Portal > Monitor > Activity Log (or az monitor activity-log list)Description
Subscription-level logs recording control-plane operations against Azure resources including resource creation/deletion, role assignments, policy changes, and deployment operations with caller identity and IP address.
Forensic Value
Activity logs expose infrastructure-level attacks in Azure environments. Key indicators include unexpected VM creation (cryptomining or pivot hosts), storage account access key regeneration (preparation for data exfiltration), NSG rule modifications (opening inbound RDP/SSH), and resource lock deletions (preparing for resource destruction). The caller IP and identity fields tie actions to specific compromised accounts.
Tools Required
Azure PortalAzure CLI (az monitor activity-log)PowerShell (Az module)Microsoft Graph API
Collection Commands
az CLI
az monitor activity-log list --start-time 2024-01-01T00:00:00Z --end-time 2024-01-31T23:59:59Z --output json > azure_activity.json
PowerShell
Get-AzActivityLog -StartTime (Get-Date).AddDays(-90) -EndTime (Get-Date) | Export-Csv azure_activity_log.csv -NoTypeInformation
az CLI
az monitor activity-log list --resource-group <rg-name> --start-time 2024-01-01T00:00:00Z --query "[?authorization.action=='Microsoft.Compute/virtualMachines/write']" --output json > vm_changes.json
MITRE ATT&CK Techniques
T1578T1580T1098T1562.001T1078.004