You might want a list of activities and operations performed on your Azure infrastructure when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
Example
As an administrator, you want to regularly run a search of all activities and operations performed on your Azure infrastructure.
NOTE: To optimize the search shown below, you should specify an index and a time range.
- Run the following search:
sourcetype="mscs:azure:audit"
|search "status.value"="Succeeded"
|table _time subscriptionId, caller "claims.ipaddr" resourceUri "operationName.value" "resourceProviderName.value" "eventSource.localizedValue" "properties.resourceLocation"
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search |
Explanation |
sourcetype="mscs:azure:audit" |
Search only Azure audit data. |
|search "status.value"="Succeeded" |
Filter the results to only include events with a status of “Succeeded”. |
|table _time subscriptionId, caller "claims.ipaddr" resourceUri "operationName.value" "resourceProviderName.value" "eventSource.localizedValue" "properties.resourceLocation" |
Display the results in a table with columns in the order shown. |
Result
Sample results for this search are shown in the table below. The information shown is a series of operations called by subscription ID. This audit data is useful for compliance reporting because a report such as this can greatly speed the time it takes to give attestation that controls are in place and being tracked.
_time |
subscriptionId |
caller |
claims.ipaddr |
resourceUri |
operationName.value |
resourceProviderName.value |
eventSource.localizedValue |
properties.resourceLocation |
2020-10-25T01:01:30.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/bots/providers/Microsoft.Network/virtualNetworks/bots-vnet |
Microsoft.Authorization/policies/audit/action |
Microsoft.Network |
Policy |
australiasoutheast |
|
2020-10-25T01:01:27.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/BOTS/providers/Microsoft.Compute/virtualMachines/SPLUNKHF01 |
Microsoft.Authorization/policies/audit/action |
Microsoft.Compute |
Policy |
australiasoutheast |
|
2020-10-25T01:01:25.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1 |
Microsoft.Authorization/policies/audit/action |
Microsoft.Resources |
Policy |
null |
|
2020-10-25T01:01:22.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/FROTHLY/providers/Microsoft.Compute/virtualMachines/Ryan |
Microsoft.Authorization/policies/audit/action |
Microsoft.Compute |
Policy |
centralus |
|
2020-10-25T01:01:10.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/FROTHLY/providers/Microsoft.Compute/virtualMachines/Ryan |
Microsoft.Authorization/policies/audit/action |
Microsoft.Compute |
Policy |
centralus |
Comments
0 comments
Please sign in to leave a comment.