Analyzing Azure Activity Logs for Threats

Analyzing Azure Activity Logs for Threats

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative

Category: development Source: mukul975/Anthropic-Cybersecurity-Skills

Analyzing Azure Activity Logs for Threats

What Is This?

The "Analyzing Azure Activity Logs for Threats" skill is designed to help cybersecurity professionals and security operations center (SOC) analysts detect and investigate suspicious activity within Azure environments. By leveraging the azure-monitor-query library, this skill enables users to query Azure Monitor activity logs and sign-in logs, using Kusto Query Language (KQL) to identify potential threats such as unauthorized administrative actions, anomalous sign-in behavior (including impossible travel), privilege escalation, and critical resource modifications. The skill provides a programmatic approach to threat hunting, detection rule creation, and incident investigation within Azure cloud infrastructures.

Why Use It?

As organizations increasingly migrate critical workloads to Azure, the attack surface expands, making continuous monitoring and analysis of cloud activity essential for maintaining security. Azure Activity Logs offer a rich source of telemetry on user actions and system changes, but the volume and complexity of these logs require automation and advanced querying to extract actionable insights. Utilizing this skill, security professionals can:

  • Detect Suspicious Administrative Operations: Identify unauthorized privilege escalation, creation or modification of high-privilege accounts, or changes to security configurations.
  • Identify Sign-in Anomalies: Spot patterns such as impossible travel (sign-ins from geographically distant locations within impossible timeframes) and unusual sign-in sources.
  • Monitor Resource Modifications: Track changes to critical resources, such as the creation or deletion of virtual machines, network security group modifications, or policy changes.
  • Automate Threat Hunting: Build reusable KQL queries for ongoing threat detection and integrate them into cloud SIEM solutions.
  • Improve Incident Response: Quickly respond to security incidents by pinpointing exactly when and how suspicious activity occurred.

This skill is particularly valuable for organizations with compliance requirements, those implementing NIST CSF controls (such as DE.CM-01 and RS.MA-01), and anyone looking to mature their cloud security monitoring capability.

How to Use It

Prerequisites

Before using this skill, ensure you have:

  • A working knowledge of security operations and familiarity with Azure monitoring tools.
  • Access to an Azure subscription and an Azure Log Analytics workspace.
  • Python 3.8 or later installed on your analysis system.
  • Necessary permissions to query log data in the target Azure environment.
  • The azure-monitor-query and azure-identity Python libraries installed.

You can install the required libraries with:

pip install azure-monitor-query azure-identity

Authenticating and Querying Activity Logs

The following example demonstrates how to authenticate and query Azure Activity Logs using the azure-monitor-query SDK:

from azure.identity import DefaultAzureCredential
from azure.monitor.query import LogsQueryClient, LogsQueryStatus

## Authenticate using the default Azure credentials
credential = DefaultAzureCredential()
client = LogsQueryClient(credential)

## Set your Log Analytics workspace ID
workspace_id = "your-log-analytics-workspace-id"

## Example KQL query to detect administrative operations
kql_query = """
AzureActivity
| where Category == "Administrative"
| where OperationNameValue in (
    "Microsoft.Authorization/roleAssignments/write",
    "Microsoft.Authorization/roleAssignments/delete",
    "Microsoft.Authorization/roleDefinitions/write"
)
| project TimeGenerated, Caller, OperationNameValue, ActivityStatusValue, ResourceId, SubscriptionId
| sort by TimeGenerated desc
"""

## Execute the KQL query
response = client.query_workspace(
    workspace_id=workspace_id,
    query=kql_query,
    timespan="P1D"  # Past 1 day
)

if response.status == LogsQueryStatus.SUCCESS:
    for table in response.tables:
        for row in table.rows:
            print(dict(zip(table.columns, row)))
else:
    print("Query failed:", response.error)

Example: Detecting Impossible Travel Sign-In Activity

The following KQL query can be used to identify sign-ins from geographically distant locations that occur within a time window too short for physical travel, a common indicator of credential compromise:

SigninLogs
| sort by UserPrincipalName, TimeGenerated
| extend PreviousLocation = prev(Location), PreviousTime = prev(TimeGenerated)
| where PreviousLocation != Location and PreviousTime != ""
| extend TimeDifference = datetime_diff('minute', TimeGenerated, PreviousTime)
| where TimeDifference < 60  // Flag sign-ins less than 1 hour apart from distant locations
| project UserPrincipalName, Location, PreviousLocation, TimeGenerated, PreviousTime, TimeDifference

This query can be adapted and executed using the same Python workflow as above.

When to Use It

  • Incident Investigation: When suspicious Azure tenant activity is detected, use this skill to analyze logs for unauthorized actions or unusual sign-ins.
  • Threat Hunting: Proactively search for indicators of compromise or risky behavior using custom KQL queries.
  • Detection Engineering: Develop and validate cloud SIEM rules and alerting logic based on real-world attack scenarios.
  • Security Monitoring Validation: Confirm that your monitoring covers key attack vectors, such as privilege escalation or unauthorized resource changes.

Important Notes

  • Always use this skill in accordance with your organization's security policies and with proper authorization.
  • For best results, operate in a controlled test or lab environment before deploying detection logic to production.
  • Regularly review and update KQL queries to reflect new attack techniques and evolving Azure services.
  • Logs in Azure may have retention limits - ensure your Log Analytics workspace is configured to retain data for as long as needed for investigations and compliance.
  • Integrate findings from this skill into wider incident response workflows and reporting mechanisms.
  • Review the source repository for additional examples and updates.

By mastering this skill, security practitioners can significantly enhance their ability to detect, investigate, and respond to threats in Azure environments through effective log analysis and automated threat detection.