If there is a particular resource you want to look for changes that have been going on, you can check the resource group and investigate the deployment logs. If that has not been enabled, well you have one option. You here also have the option to collect data using the diagnostics settings. However, if there are changes that have been made longer then 30 days it will not appear in the portal. It to stores data for 30 days about activities. Regardless of if it his a delete/create/update log. The Azure Activity Log shows all activities that have been done to the environment. If there is a specific Error Code, you can look up the error code here to get more information –> Azure Resource Manager Logs (and deployments) Here is an example cost table showing the cost of storing data in Log Analytics depending on the amount of users. This to allow for centralized log management. Get-AzureADUser -all (Useful to get list of all Azure AD Users)Īlso, you can export these data to a centralized Log Analytics Workspace. Now you can access these logs programmatically as well using PowerShell, you need to use the latest AzureADPreview Module. You also have the audit log which shows changes to Azure Active Directory, this can be changed to Conditional Access or even synchronization changes from Azure AD Connect.Īlso, within the Usage and Insight pane you can also see the usage of different service principals. ( NOTE: There is 2 – 5 minute delay before log data shows in the Azure Portal) The various sources which the view reflects can be shown here –> Azure Active Directory sign-in activity reports – preview | Microsoft Docs Now both the Sign-in and audit logs does support configuring integration to Log Analytics using “Export Data Settings” however if this is not configured in the current tenant you would need to download the log files from each of the sources.įor instance, under the Azure AD Sign-in logs you now have different filtering views to show differences between user-signs both interactive and non-interactive and service principals. Security – Risky sign-ins and Users flagged for risk.Activity – Sign-in logs, Audit Logs and Provisioning Logs.Within Azure Active Directory there are a couple of different log sources that we can investigate to discover if for instance there has been a compromised account that has been accessing the environment. ![]() First of we need to understand who has been working inside the environment. NOTE: If you are using Azure AD Free you only have audit and sign-in logs available for 7 days Audit Itemįor instance, all changes to an Azure environment would be stored in the Azure Activity Log under each subscription (but only for 30 days) so if the change happened some time ago, it would be difficult to get information about who made the change. Some of the log sources that are available in an Azure environment. So to figure out what happened I need multiple data sources to get the full picture. However, most of these services are not enabled by default, hence when logging into an Azure environment with none of these services enabled you have limited information to work based out of. With username domain\administrator from IP Security Event Logs: Successful logged on AD user. ![]()
0 Comments
Leave a Reply. |