List of Azure resource changes
Knowing what modifications are made to cloud infrastructure resources, when they were made, and who made them can help you identify or isolate the origin of a problem or incident.
Data required
Microsoft: Azure resource data
Procedure
- Configure the Splunk Add-on for Microsoft Cloud Services.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="mscs:azure:audit" subscriptionId="*" action=* | dedup correlationId | table caller, action "operationName.localizedValue", object, _time | rename caller AS User action AS Action operationName.localizedValue AS Change object AS Object
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype="mscs:azure:audit" subscriptionId="*" action=* |
Search only Microsoft Cloud Services audit data. |
| dedup correlationId | Remove extra events containing the same correlationId field. |
| table caller, action "operationName.localizedValue", object, _time | Format the final results. |
| rename caller AS User action AS Action operationName.localizedValue AS Change object AS Object | Rename fields for better readability. |
Next steps
You can use the results of this search to see what changes have been made to Azure resources, helping you identify or isolate the origin of a problem or incident.
You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.