Microsoft Azure offers a suite of over 600+ cloud computing services that allow organizations across every industry to deploy, manage and monitor workloads. In any cloud deployment, your monitoring strategy should be focused on both the application and platform levels.

Azure platform logs record the who, what, when, and where of all user-performed and service account activity within your Azure environment. Collecting and analyzing Azure platform logs is vital for monitoring the security of your Azure assets and identifying potentially malicious activity before it can propagate across your system and cause serious issues.

Microsoft Azure Platform Logs:

Microsoft Azure generates three categories of platform logs that record different types of actions:

Azure Active Directory reports detailed changes made in Azure AD and login activity.

Activity logs record operations performed on an Azure resource (i.e., operations coming from the control plane), such as creating a VM. Activity logs also record Service Health events.

Resource logs capture operations performed within an Azure resource (i.e., operations coming from the data plane), such as querying a database or writing to a storage bucket.

Azure Active Directory (Azure AD)

Azure uses Azure Active Directory (Azure AD) to manage identity and access management (IAM) across all resources within an organization, referred to as a tenant. AAD is used for hybrid identity and cloud identity in your organization. You’re using Microsoft 365, Teams, SharePoint Online, OneDrive, etc… the identity is managed via Azure AD.

To help structure which users and services have permission to access resources, Azure AD organizes a tenant’s cloud resources during a directory structure across four levels: management groups, subscriptions, resource groups, and resources.

These levels act as a hierarchy, so permissions configured for an entity at a better level apply to all or any sub-resources within that entity. At the very top of every tenant’s Azure AD hierarchy may be a root management group, which controls global policies applied to the remainder of the directory.

Azure AD creates a managed identity for every resource in your directory. The identity provides access credentials supported that resource’s resource group and subscription. When a user or resource attempts to perform an action (such as reading from a storage bucket or creating a VM), it requests an access token from Azure AD, which is employed to authenticate the request. The request is logged and contains detailed information about the action performed in your environment.

There are two subtypes of Azure AD logs: activity logs and security reports. Activity logs record the actions of users in your organization, such as sign-ins, as well as all user credential changes. Activity logs recording user sign-ins will have Sign-In as their Category field, while credential changes will have Policy.

Security reports record any instances of unusual (and potentially malicious) user activity, such as multiple failed sign-ins or access from a new country. Similarly, these logs will also have Sign-In or Audit logs as their category type respectively.

Activity Logs

Azure activity logs record either creates and changes (i.e., PUT, POST, and DELETE operations) performed on the resources within your Azure subscriptions, like starting a virtual machine or editing the configuration of a resource.

Each activity log contains key information on the particulars of the event, including which user (if any), performed the operation, which resources the operation was attempted on when the operation occurred, and whether it had been successful.

There are multiple categories of activity logs, but the bulk of actions on your subscription-level assets are going to be associated with configuration changes, so you likely will most often see ‘Administrative’ or ‘Policy’ values within the Category field.

In order to store and access your activity logs, you need to create a workspace in Log Analytics, Azure’s log management tool.

Sample Activity: Setting up a Management Ready Only Lock on a Load Balancer

"authorization.action": "Microsoft.Authorization/locks/write"

The log’s authorization.scope field also tells us which subscription and resource group the load balancer is a part of, which can help us discern which access permissions allowed the user to make the configuration changes.

Resource logs

Resource logs detail all of the actions that occur within an existing Azure resource, like reads and writes to a vault in Azure Key Vault, or to a database in Azure SQL Database. Like activity logs, resource logs each contain a schema of standardized fields that provide key information like the ID of the resource during which the request was made (as well because the IDs of the subscription and resource group to which the resource belongs), the timestamp of the request, and whether or not the request succeeded. Like activity logs, you would like to make a Log Analytics workspace so as to store and access your resource logs.

Because there are numerous sorts of resource logs, it’s best to assume that any log with a Category type not mentioned within the above Azure AD and activity log sections may be a resource log. Resource log categories depend upon the sort of resource being modified and are often descriptive of the “scope” of the actions taken, like Execution or Request.

It’s important to note that, unlike Azure AD and activity logs, Azure services do not emit resource logs by default due to their volume. In order to enable resource log collection, you need to create a diagnostic setting for each resource and designate which Log Analytics workspace will receive its logs.