Successful Azure audit operations
As an administrator, you want to regularly run a search of all activities and operations performed on your Azure infrastructure.
Data required
Microsoft: Azure Active Directory audit data
Procedure
- Configure the Splunk Add-on for Microsoft Cloud Services.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="mscs:azure:audit" |search "status.value"="Succeeded" |table _time subscriptionId, caller "claims.ipaddr" resourceUri "operationName.value" "resourceProviderName.value" "eventSource.localizedValue" "properties.resourceLocation"
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
sourcetype="mscs:azure:audit" |
Search only Azure audit data. |
|
|search "status.value"="Succeeded" |
Filter the results to only include events with a status of “Succeeded”. |
|
|table _time subscriptionId, caller "claims.ipaddr" resourceUri "operationName.value" "resourceProviderName.value" "eventSource.localizedValue" "properties.resourceLocation" |
Display the results in a table with columns in the order shown. |
Next steps
Sample results for this search are shown in the table below. The information shown is a series of operations called by subscription ID. This audit data is useful for compliance reporting because a report such as this can greatly speed the time it takes to give attestation that controls are in place and being tracked.
| _time | subscriptionId | caller | claims.ipaddr | resourceUri | operationName.value | resourceProviderName.value | eventSource.localizedValue | properties.resourceLocation |
|---|---|---|---|---|---|---|---|---|
|
2020-10-25T01:01:30.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/bots/providers/Microsoft.Network/virtualNetworks/bots-vnet |
Microsoft.Authorization/policies/audit/action |
Microsoft.Network |
Policy |
australiasoutheast |
|
|
2020-10-25T01:01:27.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/BOTS/providers/Microsoft.Compute/virtualMachines/SPLUNKHF01 |
Microsoft.Authorization/policies/audit/action |
Microsoft.Compute |
Policy |
australiasoutheast |
|
|
2020-10-25T01:01:25.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1 |
Microsoft.Authorization/policies/audit/action |
Microsoft.Resources |
Policy |
null |
|
|
2020-10-25T01:01:22.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/FROTHLY/providers/Microsoft.Compute/virtualMachines/Ryan |
Microsoft.Authorization/policies/audit/action |
Microsoft.Compute |
Policy |
centralus |
|
|
2020-10-25T01:01:10.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/FROTHLY/providers/Microsoft.Compute/virtualMachines/Ryan |
Microsoft.Authorization/policies/audit/action |
Microsoft.Compute |
Policy |
centralus |
You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.