Skip to main content
Splunk Lantern

Successful Azure audit operations

As an administrator, you want to regularly run a search of all activities and operations performed on your Azure infrastructure. 

​​​​​Data required 

Microsoft: Azure Active Directory audit data

Procedure

  1. Configure the Splunk Add-on for Microsoft Cloud Services.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="mscs:azure:audit"
|search "status.value"="Succeeded"
|table _time subscriptionId, caller "claims.ipaddr" resourceUri "operationName.value" "resourceProviderName.value" "eventSource.localizedValue" "properties.resourceLocation"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="mscs:azure:audit"

Search only Azure audit data.

|search "status.value"="Succeeded"
 

Filter the results to only include events with a status of “Succeeded”. 

|table _time subscriptionId, caller "claims.ipaddr" resourceUri "operationName.value" "resourceProviderName.value" "eventSource.localizedValue" "properties.resourceLocation"

Display the results in a table with columns in the order shown.

Next steps

Sample results for this search are shown in the table below. The information shown is a series of operations called by subscription ID. This audit data is useful for compliance reporting because a report such as this can greatly speed the time it takes to give attestation that controls are in place and being tracked.  

_time subscriptionId caller claims.ipaddr resourceUri operationName.value resourceProviderName.value eventSource.localizedValue properties.resourceLocation

2020-10-25T01:01:30.000+0000

1213b189-13ff-42fe-b370-df6da421bce1

b792fc3c-33de-456c-9790-fc98a9070188

 

/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/bots/providers/Microsoft.Network/virtualNetworks/bots-vnet

Microsoft.Authorization/policies/audit/action

Microsoft.Network

Policy

australiasoutheast

2020-10-25T01:01:27.000+0000

1213b189-13ff-42fe-b370-df6da421bce1

b792fc3c-33de-456c-9790-fc98a9070188

 

/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/BOTS/providers/Microsoft.Compute/virtualMachines/SPLUNKHF01

Microsoft.Authorization/policies/audit/action

Microsoft.Compute

Policy

australiasoutheast

2020-10-25T01:01:25.000+0000

1213b189-13ff-42fe-b370-df6da421bce1

b792fc3c-33de-456c-9790-fc98a9070188

 

/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1

Microsoft.Authorization/policies/audit/action

Microsoft.Resources

Policy

null

2020-10-25T01:01:22.000+0000

1213b189-13ff-42fe-b370-df6da421bce1

b792fc3c-33de-456c-9790-fc98a9070188

 

/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/FROTHLY/providers/Microsoft.Compute/virtualMachines/Ryan

Microsoft.Authorization/policies/audit/action

Microsoft.Compute

Policy

centralus

2020-10-25T01:01:10.000+0000

1213b189-13ff-42fe-b370-df6da421bce1

b792fc3c-33de-456c-9790-fc98a9070188

 

/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/FROTHLY/providers/Microsoft.Compute/virtualMachines/Ryan

Microsoft.Authorization/policies/audit/action

Microsoft.Compute

Policy

centralus

You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.