Who did what on your Azure resources

Introduction

This article is presented as a cookbook focused on finding who did edit resources on Microsoft Azure.

We will use Azure Monitor and Kusto queries to get those informations.

Every requests of this article could be ran from the Azure Monitor blade logs available here : https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/logs

Tips: the key “caller” of the following requests will output the UPN if the caller is a user, but if it’s not it will output the Azure AD Object id. If the caller is a Service Principal you can retrieve it by typing the following PowerShell Az cmdlet :

Get-AzADServicePrincipal -ObjectId $Caller

Who did delete Virtual Machines

Who did start or deallocate Virtual Machines

This one is pretty similar than “Who did delete Virtual Machines” except that we changed the OperationNameValue and used the Kusto operator in~ that is not case sensitive.

Who did list Storage Account Keys

Who did restart App Services, Function App or Slot

Who did enable or disable auto scaling on an App Service

Who did consult any secret, key or certificate in a Key Vault

Conclusion

Finding who did what on Azure relies on the following concepts:

• The IAM role that you should have to consult the logs and the role that the caller has to perform its operation.
• The scope where the caller did its operation (Virtual Machine, Function App, etc,…).
• The operation you are looking for (Start Virtual Machine, Create or Update Disk, Delete Restore Point, Write tags, etc..).
• The Azure AD Identity of the caller.

With that in mind you can know everything what happened in your Cloud.

See you in the Cloud

Jamesdld