Forum Discussion

jjsantanna's avatar
jjsantanna
Brass Contributor
Apr 02, 2020

Where Cloudshell issued commands are logged?

Hi, I'm writing a monitoring rule (KQL) for identifying PowerShell and/or CloudShell issued commands. For the PowerShell, it is 'trivial' using "SecurityEvent" data. However, I didn't find how/where ...
  • CliveWatson's avatar
    CliveWatson
    Apr 20, 2020

    jjsantanna 

     

    AFAIK it logs the session, user etc but not commands 

     

    Go to Log Analytics and run query

     

    AzureActivity
    | where ResourceGroup startswith "CLOUD-SHELL"
    | extend action_ = tostring(parse_json(Authorization).action) 
    | summarize count() by ResourceGroup  , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue,  CategoryValue , action_ 

     

    // List sucess vs. failure 
    AzureActivity
    | where ResourceGroup startswith "CLOUD-SHELL"
    | summarize count(ActivityStatus) by Caller, ActivityStatus

Share

Resources