Azure Activity Logs

m365-azureCloud InfrastructureCloud Admin PortalSIEM / Log Aggregator

Location

Azure Portal > Monitor > Activity Log (or az monitor activity-log list)

Description

Subscription-level logs recording control-plane operations against Azure resources including resource creation/deletion, role assignments, policy changes, and deployment operations with caller identity and IP address.

Forensic Value

Activity logs expose infrastructure-level attacks in Azure environments. Key indicators include unexpected VM creation (cryptomining or pivot hosts), storage account access key regeneration (preparation for data exfiltration), NSG rule modifications (opening inbound RDP/SSH), and resource lock deletions (preparing for resource destruction). The caller IP and identity fields tie actions to specific compromised accounts.

Tools Required

Azure PortalAzure CLI (az monitor activity-log)PowerShell (Az module)Microsoft Graph API

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical