Forum Discussion
jjsantanna
Apr 02, 2020Brass Contributor
Where Cloudshell issued commands are logged?
Hi, I'm writing a monitoring rule (KQL) for identifying PowerShell and/or CloudShell issued commands. For the PowerShell, it is 'trivial' using "SecurityEvent" data. However, I didn't find how/where ...
- Apr 20, 2020
AFAIK it logs the session, user etc but not commands
Go to Log Analytics and run query
AzureActivity | where ResourceGroup startswith "CLOUD-SHELL" | extend action_ = tostring(parse_json(Authorization).action) | summarize count() by ResourceGroup , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue, CategoryValue , action_
// List sucess vs. failure AzureActivity | where ResourceGroup startswith "CLOUD-SHELL" | summarize count(ActivityStatus) by Caller, ActivityStatus
Lewis-H
Iron Contributor
Users can choose between Bash or PowerShell.
Select Cloud Shell.
Select Bash or PowerShell.
Cloud Shell is managed by Microsoft so it comes with popular command-line tools and language support. Cloud Shell also securely authenticates automatically for instant access to your resources through the Azure CLI or Azure PowerShell cmdlets.
jjsantanna
Apr 20, 2020Brass Contributor
What is this answer about? The question is "where Cloudshell issued commands are LOGGED?" I think you misunderstand something. Or please clarify.