Acquaint yourself with the relevant information about Azure Activity Logs

Azure Activity Logs are a fundamental aspect of monitoring and auditing within Azure, providing insights into operations on Azure resources. Here's what you need to know:

What Are Activity Logs?

Definition:

Activity logs capture control-plane events at the subscription level, detailing operations like creating, updating, or deleting Azure resources.

Purpose:

1. Track resource changes and actions.

2. Provide auditing for compliance and governance.

3. Assist in troubleshooting resource-level issues.

Key Features

1. Scope: Logs capture operations that occur outside the resource, such as resource creation or policy updates. They do not include data-plane events (e.g., read/write operations within a storage account).

2. Retention: Activity logs are retained for 90 days by default in the Azure Portal. Export logs to Log Analytics, Storage Accounts, or Event Hubs for longer retention or advanced analysis.

3. Default Availability: Enabled by default for all Azure subscriptions.

Types of Events in Activity Logs

1. Administrative Events: Record management operations like creating, deleting, or updating resources.

2. Service Health Events: Provide information on Azure service issues that might affect your resources.

3. Policy Events: Log policy evaluations for compliance checks and violations.

4. Security Events: Capture operations related to security, like assigning roles or managing security rules.

5. Alert Events: Include notifications triggered by activity log-based alerts.

Viewing Activity Logs

1. Azure Portal:

   • Navigate to Monitor > Activity Logs.

   • Use filters to specify the time range, resource group, resource type, or event category.

2. Azure CLI/PowerShell:

   • Retrieve activity logs programmatically for automation or integration.

   • Example with Azure CLI:

xxxxxxxxxx
1
1
az monitor activity-log list --start-time "2024-01-01" --end-time "2024-01-02"

3. Log Analytics:

   • Ingest activity logs into a Log Analytics workspace for advanced querying and visualization using KQL.

Exporting Activity Logs

Export Methods:

1. Log Analytics: Store logs for detailed analysis and custom dashboards.

2. Event Hubs: Stream logs to external systems like SIEM tools.

3. Storage Accounts: Archive logs for long-term retention and compliance.

Common Use Cases

1. Auditing and Compliance: Track who performed what action and when on Azure resources. Monitor policy compliance and governance adherence.

2. Troubleshooting: Investigate issues like accidental resource deletions or misconfigurations. Identify root causes of deployment failures.

3. Monitoring and Alerts: Create alerts based on specific activity log events (e.g., when a resource is deleted).

4. Security Monitoring: Detect unauthorized or suspicious activities, such as unusual administrative actions.

Best Practices

1. Enable Diagnostic Settings: Export activity logs to Log Analytics or a storage account for extended retention and analysis.

2. Set Up Alerts: Configure alerts for critical events, such as resource deletions or policy violations.

3. Regularly Monitor: Periodically review activity logs to ensure resource changes align with expectations.

4. Use Automation: Automate responses to specific activity log events using Azure Logic Apps or Azure Functions.

5. Integrate with Security Tools: Feed activity logs into Azure Sentinel or third-party SIEM systems for security insights.

Limitations

1. Data-Plane Logs Not Included: Activity logs do not track operations inside resources (e.g., file uploads to Azure Storage).

2. Retention Limit in Portal: Default retention is 90 days, necessitating export for longer-term storage.

Example Queries

If exported to a Log Analytics workspace, you can query activity logs with Kusto Query Language (KQL):

1. Find All Resource Deletions:

xxxxxxxxxx
2
1
AzureActivity
2
| where OperationNameValue == "Microsoft.Resources/subscriptions/resourceGroups/delete"

2. Track Actions by a Specific User:

xxxxxxxxxx
2
1
AzureActivity
2
| where Caller == "user@example.com"

Getting Started

1. Access activity logs via the Azure Portal under the Monitor section.

2. Configure Export Settings for extended retention.

3. Use filters or queries to analyze specific events.

Summary

Azure Activity Logs are a vital tool for auditing, compliance, and operational monitoring, offering essential insights into the actions taken across your Azure subscription.