SOLVED
Home

Where Cloudshell issued commands are logged?

%3CLINGO-SUB%20id%3D%22lingo-sub-1274725%22%20slang%3D%22en-US%22%3EWhere%20Cloudshell%20issued%20commands%20are%20logged%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1274725%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I'm%20writing%20a%20monitoring%20rule%20(KQL)%20for%20identifying%20PowerShell%20and%2For%20CloudShell%26nbsp%3Bissued%20commands.%20For%20the%20PowerShell%2C%20it%20is%20'trivial'%20using%20%22SecurityEvent%22%20data.%20However%2C%20I%20didn't%20find%20how%2Fwhere%20are%20the%20logs%20for%20commands%20issued%20using%20CloudShell.%20Just%20adding%20some%20context%3A%20I'm%26nbsp%3B%3CSPAN%3Ewillingly%20to%20monitor%26nbsp%3Bthe%20reconnaissance%20phase%20(e.g.%20CloudShell%3A%20%26gt%3B%20Get-AzResource).%20Could%20you%20give%20me%20some%20direction%20on%20where%20to%20find%20those%20log-lines%20if%20those%20exist%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20advance.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1274725%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ecloudshell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ekql%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1275956%22%20slang%3D%22en-US%22%3ERe%3A%20Where%20Cloudshell%20issued%20commands%20are%20logged%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1275956%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F584375%22%20target%3D%22_blank%22%3E%40jjsantanna%3C%2FA%3E%26nbsp%3BI'm%20testing%20to%20be%20sure...but%20that%20data%20should%20be%20contained%20in%20the%20AzureActivity%20table%20(if%20you%20have%20it%20enabled).%20Its%20going%20to%20be%20a%20bit%20before%20my%20data%20refreshes%2C%20but%20if%20you've%20run%20Cloud%20Shell%20recently%2C%20run%20the%20following%20query%20bit%20on%20its%20own%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Esearch%20%22Cloud%20Shell%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1277937%22%20slang%3D%22en-US%22%3ERe%3A%20Where%20Cloudshell%20issued%20commands%20are%20logged%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1277937%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%26nbsp%3Bdid%20you%20test%20what%20you%20sent%20to%20me%3F%20your%20idea%20was%20the%20first%20test%20that%20I%20did%2C%20two%20weeks%20ago%20%3DD%20and%20%3CSTRONG%3ENO%2C%3C%2FSTRONG%3E%20it%20doesn't%20work%20(at%20least%20not%20to%20me).%20And%26nbsp%3B%3CSTRONG%3ENO%2C%3C%2FSTRONG%3E%20it%20didn't%20show%20anything%20related%20Cloud%20Shell%20at%26nbsp%3B%3CSPAN%3EAzureActivity%20(this%20was%20also%20my%20'educated'%20guess).%20If%20you%20had%20a%20successful%20test%2C%20could%20you%20please%20send%20me%20a%20print-screen%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1278466%22%20slang%3D%22en-US%22%3ERe%3A%20Where%20Cloudshell%20issued%20commands%20are%20logged%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1278466%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F584375%22%20target%3D%22_blank%22%3E%40jjsantanna%3C%2FA%3E%26nbsp%3BYes...but%20I'm%20doing%20to%20have%20to%20dig%20deeper.%20I%20had%20never%20thought%20to%20figure%20this%20out%20prior.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20does%20return%20information%20about%20Cloud%20Shell%2C%20but%20only%20relation%20to%20success%20of%20storage%20key%20access%20for%20the%20storage%20component%20for%20Cloud%20Shell%20that%20started%20and%20succeeded.%20This%20is%20still%20a%20solid%20indicator%20that%20someone%20initiated%20Cloud%20Shell%2C%20but%20it%20doesn't%20seem%20to%20record%20much%20more%20than%20that.%20So%2C%20I'll%20keep%20digging.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1315920%22%20slang%3D%22en-US%22%3ERe%3A%20Where%20Cloudshell%20issued%20commands%20are%20logged%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1315920%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%26nbsp%3Bdid%20you%20had%20any%20chance%20to%20take%20a%20look%20on%20it%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1320641%22%20slang%3D%22en-US%22%3ERe%3A%20Where%20Cloudshell%20issued%20commands%20are%20logged%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1320641%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F584375%22%20target%3D%22_blank%22%3E%40jjsantanna%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAFAIK%20it%20logs%20the%20session%2C%20user%20etc%20but%20not%20commands%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fms.portal.azure.com%23%4072f988bf-86f1-41af-91ab-2d7cd011db47%2Fblade%2FMicrosoft_Azure_Monitoring_Logs%2FDemoLogsBlade%2FresourceId%2F%252FDemo%2Fsource%2FLogsBlade.AnalyticsShareLinkToQuery%2Fq%2FH4sIAAAAAAAAA12OzQqCUBCF90LvMLhSqN6ghVRUIARFbeOmg97Qe2V%25252BKqOHTwkr2g3nfOfMSR5KmGRir1baUfCEW4mEsEP2ShmuyGsDLIaEb1ZKCOfp9rCY7NfLNA17Hu%25252BCLgfTVXh3ghmIZyHriqgxxHi6sHdRolJ6sg%25252FTQ%25252FH0DcfQ51nr2nQWQubVSRTDuf17D2OYm6pC%25252BhybJslzQuZOGcbvxYjy0VSKv6qe%25252BWuMoSsQLDy1AzgMD15psDKACgEAAA%25253D%25253D%2Ftimespan%2FP1D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGo%20to%20Log%20Analytics%20and%20run%20query%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EAzureActivity%0A%7C%20where%20ResourceGroup%20startswith%20%22CLOUD-SHELL%22%0A%7C%20extend%20action_%20%3D%20tostring(parse_json(Authorization).action)%20%0A%7C%20summarize%20count()%20by%20ResourceGroup%20%20%2C%20Caller%20%2C%20CallerIpAddress%20%2C%20ActivityStatusValue%20%2C%20ActivitySubstatusValue%2C%20%20CategoryValue%20%2C%20action_%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%2F%2F%20List%20sucess%20vs.%20failure%20%0AAzureActivity%0A%7C%20where%20ResourceGroup%20startswith%20%22CLOUD-SHELL%22%0A%7C%20summarize%20count(ActivityStatus)%20by%20Caller%2C%20ActivityStatus%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1320669%22%20slang%3D%22en-US%22%3ERe%3A%20Where%20Cloudshell%20issued%20commands%20are%20logged%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1320669%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%2C%20although%20your%20answer%20is%20%22the%20best%22%20it%20still%20doesn't%20answer%20my%20question.%20I've%20observed%20several%20attacks%20that%20after%20attackers%20compromise%20%22the%20AAD%22%20he%2Fshe%20issued%20several%20Cloudshell%20commands%20BUT%20AFAIK%20there%20is%20no%20way%20to%20determine%20what%20was%20done.%20How%20can%20I%20request%20this%20%22feature%22%20to%20the%20community%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1320687%22%20slang%3D%22en-US%22%3ERe%3A%20Where%20Cloudshell%20issued%20commands%20are%20logged%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1320687%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F584375%22%20target%3D%22_blank%22%3E%40jjsantanna%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20take%20a%20look%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F598699-azure-cloud-shell%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F598699-azure-cloud-shell%3C%2FA%3E%26nbsp%3Band%20provide%20feedback.%26nbsp%3B%20I%20had%20a%20very%20quick%20look%2C%20and%20didn't%20see%20a%20similar%20request.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20also%20see%20questions%20and%20answers%20in%20the%20Azure%20community%2C%20maybe%20worth%20asking%20there%20as%20well%3F%20i.e.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure%2Fazure-cloud-shell-error%2Fm-p%2F70846%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure%2Fazure-cloud-shell-error%2Fm-p%2F70846%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20Clive%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1321120%22%20slang%3D%22en-US%22%3ERe%3A%20Where%20Cloudshell%20issued%20commands%20are%20logged%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1321120%22%20slang%3D%22en-US%22%3EUsers%20can%20choose%20between%20Bash%20or%20PowerShell.%3CBR%20%2F%3E%3CBR%20%2F%3ESelect%20Cloud%20Shell.%3CBR%20%2F%3E%3CBR%20%2F%3ESelect%20Bash%20or%20PowerShell.%3CBR%20%2F%3E%3CBR%20%2F%3EChoose%20either%20Bash%20or%20PowerShell%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi, I'm writing a monitoring rule (KQL) for identifying PowerShell and/or CloudShell issued commands. For the PowerShell, it is 'trivial' using "SecurityEvent" data. However, I didn't find how/where are the logs for commands issued using CloudShell. Just adding some context: I'm willingly to monitor the reconnaissance phase (e.g. CloudShell: > Get-AzResource). Could you give me some direction on where to find those log-lines if those exist?

Thanks in advance.

9 Replies
Highlighted

@jjsantanna I'm testing to be sure...but that data should be contained in the AzureActivity table (if you have it enabled). Its going to be a bit before my data refreshes, but if you've run Cloud Shell recently, run the following query bit on its own:

 

search "Cloud Shell"

Highlighted

@rodtrent did you test what you sent to me? your idea was the first test that I did, two weeks ago =D and NO, it doesn't work (at least not to me). And NO, it didn't show anything related Cloud Shell at AzureActivity (this was also my 'educated' guess). If you had a successful test, could you please send me a print-screen?

Highlighted

@jjsantanna Yes...but I'm doing to have to dig deeper. I had never thought to figure this out prior. 

 

It does return information about Cloud Shell, but only relation to success of storage key access for the storage component for Cloud Shell that started and succeeded. This is still a solid indicator that someone initiated Cloud Shell, but it doesn't seem to record much more than that. So, I'll keep digging.

Highlighted

Hi @rodtrent did you had any chance to take a look on it? 

Highlighted
Solution

@jjsantanna 

 

AFAIK it logs the session, user etc but not commands 

 

Go to Log Analytics and run query

 

AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| extend action_ = tostring(parse_json(Authorization).action) 
| summarize count() by ResourceGroup  , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue,  CategoryValue , action_ 

 

// List sucess vs. failure 
AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| summarize count(ActivityStatus) by Caller, ActivityStatus
Highlighted
@Clive Watson, although your answer is "the best" it still doesn't answer my question. I've observed several attacks that after attackers compromise "the AAD" he/she issued several Cloudshell commands BUT AFAIK there is no way to determine what was done. How can I request this "feature" to the community?
Highlighted

@jjsantanna 

 

Please take a look at https://feedback.azure.com/forums/598699-azure-cloud-shell and provide feedback.  I had a very quick look, and didn't see a similar request. 

 

I also see questions and answers in the Azure community, maybe worth asking there as well? i.e. https://techcommunity.microsoft.com/t5/azure/azure-cloud-shell-error/m-p/70846 

 

Thanks Clive

Highlighted

Users can choose between Bash or PowerShell.

  1. Select Cloud Shell.

  2. Select Bash or PowerShell.

Cloud Shell is managed by Microsoft so it comes with popular command-line tools and language support. Cloud Shell also securely authenticates automatically for instant access to your resources through the Azure CLI or Azure PowerShell cmdlets.

Highlighted
What is this answer about? The question is "where Cloudshell issued commands are LOGGED?" I think you misunderstand something. Or please clarify.