Azure Resource Diagnostic Logs

Cloud & SaaSCloud InfrastructureCloud Control PlaneSIEM / Log Aggregator

Location

Azure Portal > Resource > Diagnostic settings > Log Analytics workspace

Description

Data-plane logs for individual Azure resources (Key Vault access, Storage Blob read/write, SQL audit, App Service HTTP logs) when diagnostic settings are configured to route to Log Analytics, Storage, or Event Hub.

Forensic Value

Resource logs provide data-plane visibility that Activity Logs lack. Key Vault access logs reveal which secrets, keys, and certificates were read or modified during a breach. Storage account logs show exact blob names accessed and by which identity. These logs are critical for understanding what data the attacker actually accessed versus what they merely had permissions to access.

Tools Required

Azure PortalLog Analytics (KQL)Azure CLIPowerShell (Az module)

Collection Commands

KQL

AzureDiagnostics | where TimeGenerated > ago(30d) | where ResourceType == "VAULTS" | where OperationName == "SecretGet" | project TimeGenerated, CallerIPAddress, identity_claim_upn_s, OperationName, id_s

az CLI

az monitor diagnostic-settings list --resource <resource-id> --output json > diagnostic_settings.json

PowerShell

Get-AzDiagnosticSetting -ResourceId <resource-id> | ConvertTo-Json -Depth 10 > diagnostic_config.json

MITRE ATT&CK Techniques

T1530T1580T1578T1213.002T1098

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical