jjsantanna
Apr 02, 2020Brass Contributor
Where Cloudshell issued commands are logged?
Hi, I'm writing a monitoring rule (KQL) for identifying PowerShell and/or CloudShell issued commands. For the PowerShell, it is 'trivial' using "SecurityEvent" data. However, I didn't find how/where ...
- Apr 20, 2020
AFAIK it logs the session, user etc but not commands
Go to Log Analytics and run query
AzureActivity | where ResourceGroup startswith "CLOUD-SHELL" | extend action_ = tostring(parse_json(Authorization).action) | summarize count() by ResourceGroup , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue, CategoryValue , action_
// List sucess vs. failure AzureActivity | where ResourceGroup startswith "CLOUD-SHELL" | summarize count(ActivityStatus) by Caller, ActivityStatus