Back to Details

analyzing-azure-activity-logs-for-threats

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Analyzing Azure Activity Logs for Threats

分析Azure活动日志以检测威胁

When to Use

适用场景

  • When investigating security incidents that require analyzing azure activity logs for threats
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques
  • 当调查需要分析Azure活动日志来检测威胁的安全事件时
  • 当针对该领域构建检测规则或威胁狩猎查询时
  • 当SOC分析师需要此类分析的结构化流程时
  • 当验证相关攻击技术的安全监控覆盖范围时

Prerequisites

前提条件

  • Familiarity with security operations concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities
  • 熟悉安全运营概念与工具
  • 可访问测试或实验室环境以安全执行操作
  • 安装Python 3.8及以上版本并配置好所需依赖
  • 拥有测试活动所需的适当授权

Instructions

操作步骤

Use azure-monitor-query to execute KQL queries against Azure Log Analytics workspaces, detecting suspicious admin operations and sign-in anomalies.
python
from azure.identity import DefaultAzureCredential
from azure.monitor.query import LogsQueryClient
from datetime import timedelta

credential = DefaultAzureCredential()
client = LogsQueryClient(credential)

response = client.query_workspace(
    workspace_id="WORKSPACE_ID",
    query="AzureActivity | where OperationNameValue has 'MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE' | take 10",
    timespan=timedelta(hours=24),
)
Key detection queries:
  1. Role assignment changes (privilege escalation)
  2. Resource group and subscription modifications
  3. Key vault secret access from new IPs
  4. Network security group rule changes
  5. Conditional access policy modifications
使用azure-monitor-query对Azure Log Analytics工作区执行KQL查询,检测可疑的管理员操作和登录异常。
python
from azure.identity import DefaultAzureCredential
from azure.monitor.query import LogsQueryClient
from datetime import timedelta

credential = DefaultAzureCredential()
client = LogsQueryClient(credential)

response = client.query_workspace(
    workspace_id="WORKSPACE_ID",
    query="AzureActivity | where OperationNameValue has 'MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE' | take 10",
    timespan=timedelta(hours=24),
)
核心检测查询:
  1. 角色分配变更(权限提升)
  2. 资源组与订阅修改
  3. 来自新IP的密钥保管库机密访问
  4. 网络安全组规则变更
  5. 条件访问策略修改

Examples

示例

python
undefined
python
undefined

Detect new Global Admin role assignments

Detect new Global Admin role assignments

query = ''' AuditLogs | where OperationName == "Add member to role" | where TargetResources[0].modifiedProperties[0].newValue has "Global Administrator" '''
undefined
query = ''' AuditLogs | where OperationName == "Add member to role" | where TargetResources[0].modifiedProperties[0].newValue has "Global Administrator" '''
undefined