04-02-2020 04:47 AM
04-02-2020 04:47 AM
Hi, I'm writing a monitoring rule (KQL) for identifying PowerShell and/or CloudShell issued commands. For the PowerShell, it is 'trivial' using "SecurityEvent" data. However, I didn't find how/where are the logs for commands issued using CloudShell. Just adding some context: I'm willingly to monitor the reconnaissance phase (e.g. CloudShell: > Get-AzResource). Could you give me some direction on where to find those log-lines if those exist?
Thanks in advance.
04-02-2020 09:39 AM
@jjsantanna I'm testing to be sure...but that data should be contained in the AzureActivity table (if you have it enabled). Its going to be a bit before my data refreshes, but if you've run Cloud Shell recently, run the following query bit on its own:
search "Cloud Shell"
04-03-2020 01:20 AM
@rodtrent did you test what you sent to me? your idea was the first test that I did, two weeks ago =D and NO, it doesn't work (at least not to me). And NO, it didn't show anything related Cloud Shell at AzureActivity (this was also my 'educated' guess). If you had a successful test, could you please send me a print-screen?
04-03-2020 05:00 AM
@jjsantanna Yes...but I'm doing to have to dig deeper. I had never thought to figure this out prior.
It does return information about Cloud Shell, but only relation to success of storage key access for the storage component for Cloud Shell that started and succeeded. This is still a solid indicator that someone initiated Cloud Shell, but it doesn't seem to record much more than that. So, I'll keep digging.
04-20-2020 01:15 AMSolution
AFAIK it logs the session, user etc but not commands
AzureActivity | where ResourceGroup startswith "CLOUD-SHELL" | extend action_ = tostring(parse_json(Authorization).action) | summarize count() by ResourceGroup , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue, CategoryValue , action_
// List sucess vs. failure AzureActivity | where ResourceGroup startswith "CLOUD-SHELL" | summarize count(ActivityStatus) by Caller, ActivityStatus
04-20-2020 01:25 AM
04-20-2020 01:33 AM
Please take a look at https://feedback.azure.com/forums/598699-azure-cloud-shell and provide feedback. I had a very quick look, and didn't see a similar request.
I also see questions and answers in the Azure community, maybe worth asking there as well? i.e. https://techcommunity.microsoft.com/t5/azure/azure-cloud-shell-error/m-p/70846
04-20-2020 04:55 AM - edited 04-20-2020 04:56 AM
Users can choose between Bash or PowerShell.
Select Cloud Shell.
Select Bash or PowerShell.
Cloud Shell is managed by Microsoft so it comes with popular command-line tools and language support. Cloud Shell also securely authenticates automatically for instant access to your resources through the Azure CLI or Azure PowerShell cmdlets.
04-20-2020 04:57 AM