Forum Discussion
Porter76
Oct 20, 2023Brass Contributor
Can I see when someone creates a new Azure subscription?
Are there logs within sentinel I can query to see when a new azure subscription is enabled? We recently had a user accidentally setup a new subscription and I was only able to see in the subscription activity log not in Sentinel.
Is there a data table where I can see this?
Thanks.
- Clive_WatsonBronze ContributorYou can see when a new Subscription starts to write data (which could be after its created/enabled)
An example, which compares any seen in the last month -1day to the SubscriotionIDs seen today, so any new one in the past 24hrs must be newly active:
let lastMonth = (
AzureActivity
| where TimeGenerated between(ago(30d) .. endofday(ago(1d)))
| distinct SubscriptionId
);
AzureActivity
| where TimeGenerated > ago(1d)
| where SubscriptionId !in(lastMonth)
| distinct SubscriptionId, TimeGenerated - LeonPavesicSilver Contributor
Hi Porter76,
as far as I know, Microsoft Azure does provide the capability to monitor and track the creation of new Azure subscriptions but not with Sentinel rather using Log analytics and Azure Logic App.
Here is an interesting article how to achive that:
Monitoring for Azure Subscription Creation - Microsoft Community Hub
Azure Activity connector for Microsoft Sentinel | Microsoft LearnPlease click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)