You might want a list of activities and operations performed on your Azure infrastructure when doing the following:
Prerequisites
In order to execute this procedure in your environment, you may need to first on-board the data, services, or apps shown in the following table.
|
Category |
Name |
Importance |
|
Data |
Azure audit data, resource data, storage table data, and blob data |
Required |
|
Add-on |
Required |
|
|
Add-on |
Recommended |
|
|
App |
Recommended |
Example
The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source.
As an administrator, you want to regularly run a search of all activities and operations performed on your Azure infrastructure.
- Run the following search:
sourcetype="mscs:azure:audit"
|search "status.value"="Succeeded"
|table _time subscriptionId, caller "claims.ipaddr" resourceUri "operationName.value" "resourceProviderName.value" "eventSource.localizedValue" "properties.resourceLocation"
Search Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
sourcetype="mscs:azure:audit" |
Search only Azure audit data. |
|
|search "status.value"="Succeeded" |
Filter the results to only include events with a status of “Succeeded”. |
|
|table _time subscriptionId, caller "claims.ipaddr" resourceUri "operationName.value" "resourceProviderName.value" "eventSource.localizedValue" "properties.resourceLocation" |
Display the results in a table with columns in the order shown. |
Result
Sample results for this search are shown in the table below. The information shown is a series of operations called by subscription ID. This audit data is useful for compliance reporting because a report such as this can greatly speed the time it takes to give attestation that controls are in place and being tracked.
|
_time |
subscriptionId |
caller |
claims.ipaddr |
resourceUri |
operationName.value |
resourceProviderName.value |
eventSource.localizedValue |
properties.resourceLocation |
|
2020-10-25T01:01:30.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/bots/providers/Microsoft.Network/virtualNetworks/bots-vnet |
Microsoft.Authorization/policies/audit/action |
Microsoft.Network |
Policy |
australiasoutheast |
|
|
2020-10-25T01:01:27.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/BOTS/providers/Microsoft.Compute/virtualMachines/SPLUNKHF01 |
Microsoft.Authorization/policies/audit/action |
Microsoft.Compute |
Policy |
australiasoutheast |
|
|
2020-10-25T01:01:25.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1 |
Microsoft.Authorization/policies/audit/action |
Microsoft.Resources |
Policy |
null |
|
|
2020-10-25T01:01:22.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/FROTHLY/providers/Microsoft.Compute/virtualMachines/Ryan |
Microsoft.Authorization/policies/audit/action |
Microsoft.Compute |
Policy |
centralus |
|
|
2020-10-25T01:01:10.000+0000 |
1213b189-13ff-42fe-b370-df6da421bce1 |
b792fc3c-33de-456c-9790-fc98a9070188 |
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/FROTHLY/providers/Microsoft.Compute/virtualMachines/Ryan |
Microsoft.Authorization/policies/audit/action |
Microsoft.Compute |
Policy |
centralus |
Comments
0 comments
Please sign in to leave a comment.