Skip to main content
Splunk Lantern

Successful Azure audit operations

You might want a list of activities and operations performed on your Azure infrastructure when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

As an administrator, you want to regularly run a search of all activities and operations performed on your Azure infrastructure. 

To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search: 
sourcetype="mscs:azure:audit"
|search "status.value"="Succeeded"
|table _time subscriptionId, caller "claims.ipaddr" resourceUri "operationName.value" "resourceProviderName.value" "eventSource.localizedValue" "properties.resourceLocation"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="mscs:azure:audit"

Search only Azure audit data.

|search "status.value"="Succeeded"
 

Filter the results to only include events with a status of “Succeeded”. 

|table _time subscriptionId, caller "claims.ipaddr" resourceUri "operationName.value" "resourceProviderName.value" "eventSource.localizedValue" "properties.resourceLocation"

Display the results in a table with columns in the order shown.

Result

Sample results for this search are shown in the table below. The information shown is a series of operations called by subscription ID. This audit data is useful for compliance reporting because a report such as this can greatly speed the time it takes to give attestation that controls are in place and being tracked.  

_time subscriptionId caller claims.ipaddr resourceUri operationName.value resourceProviderName.value eventSource.localizedValue properties.resourceLocation

2020-10-25T01:01:30.000+0000

1213b189-13ff-42fe-b370-df6da421bce1

b792fc3c-33de-456c-9790-fc98a9070188

 

/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/bots/providers/Microsoft.Network/virtualNetworks/bots-vnet

Microsoft.Authorization/policies/audit/action

Microsoft.Network

Policy

australiasoutheast

2020-10-25T01:01:27.000+0000

1213b189-13ff-42fe-b370-df6da421bce1

b792fc3c-33de-456c-9790-fc98a9070188

 

/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/BOTS/providers/Microsoft.Compute/virtualMachines/SPLUNKHF01

Microsoft.Authorization/policies/audit/action

Microsoft.Compute

Policy

australiasoutheast

2020-10-25T01:01:25.000+0000

1213b189-13ff-42fe-b370-df6da421bce1

b792fc3c-33de-456c-9790-fc98a9070188

 

/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1

Microsoft.Authorization/policies/audit/action

Microsoft.Resources

Policy

null

2020-10-25T01:01:22.000+0000

1213b189-13ff-42fe-b370-df6da421bce1

b792fc3c-33de-456c-9790-fc98a9070188

 

/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/FROTHLY/providers/Microsoft.Compute/virtualMachines/Ryan

Microsoft.Authorization/policies/audit/action

Microsoft.Compute

Policy

centralus

2020-10-25T01:01:10.000+0000

1213b189-13ff-42fe-b370-df6da421bce1

b792fc3c-33de-456c-9790-fc98a9070188

 

/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/FROTHLY/providers/Microsoft.Compute/virtualMachines/Ryan

Microsoft.Authorization/policies/audit/action

Microsoft.Compute

Policy

centralus

  • Was this article helpful?