Forum Discussion
Can I see when someone creates a new Azure subscription?
Are there logs within sentinel I can query to see when a new azure subscription is enabled? We recently had a user accidentally setup a new subscription and I was only able to see in the subscription...
You can see when a new Subscription starts to write data (which could be after its created/enabled)
An example, which compares any seen in the last month -1day to the SubscriotionIDs seen today, so any new one in the past 24hrs must be newly active:
let lastMonth = (
AzureActivity
| where TimeGenerated between(ago(30d) .. endofday(ago(1d)))
| distinct SubscriptionId
);
AzureActivity
| where TimeGenerated > ago(1d)
| where SubscriptionId !in(lastMonth)
| distinct SubscriptionId, TimeGenerated
An example, which compares any seen in the last month -1day to the SubscriotionIDs seen today, so any new one in the past 24hrs must be newly active:
let lastMonth = (
AzureActivity
| where TimeGenerated between(ago(30d) .. endofday(ago(1d)))
| distinct SubscriptionId
);
AzureActivity
| where TimeGenerated > ago(1d)
| where SubscriptionId !in(lastMonth)
| distinct SubscriptionId, TimeGenerated