Forum Discussion
jjsantanna
Apr 02, 2020Brass Contributor
Where Cloudshell issued commands are logged?
Hi, I'm writing a monitoring rule (KQL) for identifying PowerShell and/or CloudShell issued commands. For the PowerShell, it is 'trivial' using "SecurityEvent" data. However, I didn't find how/where ...
- Apr 20, 2020
AFAIK it logs the session, user etc but not commands
Go to Log Analytics and run query
AzureActivity | where ResourceGroup startswith "CLOUD-SHELL" | extend action_ = tostring(parse_json(Authorization).action) | summarize count() by ResourceGroup , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue, CategoryValue , action_
// List sucess vs. failure AzureActivity | where ResourceGroup startswith "CLOUD-SHELL" | summarize count(ActivityStatus) by Caller, ActivityStatus
Rod_Trent
Dec 23, 2021Microsoft
To close this out...here's a query that can be used by Microsoft Sentinel to track Cloud Shell usage using the AzureActivity table: https://cda.ms/3vJ
- bijaykumar1857Jul 30, 2024Copper Contributor
Rod_Trent can you please provide the information about logging cloudhsell commands logs in log analytics