Skip to main content
 
Splunk Lantern

List of Azure resource changes

 

Knowing what modifications are made to cloud infrastructure resources, when they were made, and who made them can help you identify or isolate the origin of a problem or incident.

Data required 

Microsoft: Azure resource data

Procedure

  1. Configure the Splunk Add-on for Microsoft Cloud Services.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="mscs:azure:audit" subscriptionId="*" action=*
| dedup correlationId 
| table caller, action "operationName.localizedValue", object, _time
| rename caller AS User action AS Action operationName.localizedValue AS Change object AS Object

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype="mscs:azure:audit" subscriptionId="*" action=*

Search only Microsoft Cloud Services audit data.

| dedup correlationId Remove extra events containing the same correlationId field.
| table caller, action "operationName.localizedValue", object, _time Format the final results.
| rename caller AS User action AS Action operationName.localizedValue AS Change object AS Object Rename fields for better readability.

Next steps

You can use the results of this search to see what changes have been made to Azure resources, helping you identify or isolate the origin of a problem or incident.

You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.