Forum Discussion

jjsantanna's avatar
jjsantanna
Brass Contributor
Apr 02, 2020

Where Cloudshell issued commands are logged?

Hi, I'm writing a monitoring rule (KQL) for identifying PowerShell and/or CloudShell issued commands. For the PowerShell, it is 'trivial' using "SecurityEvent" data. However, I didn't find how/where ...
KQL
Log Data
  • CliveWatson's avatar
    CliveWatson
    Apr 20, 2020

    jjsantanna 

     

    AFAIK it logs the session, user etc but not commands 

     

    Go to Log Analytics and run query

     

    AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| extend action_ = tostring(parse_json(Authorization).action) 
| summarize count() by ResourceGroup  , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue,  CategoryValue , action_

     

    // List sucess vs. failure 
AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| summarize count(ActivityStatus) by Caller, ActivityStatus
jjsantanna's avatar
jjsantanna
Brass Contributor

Rod_Trent did you test what you sent to me? your idea was the first test that I did, two weeks ago =D and NO, it doesn't work (at least not to me). And NO, it didn't show anything related Cloud Shell at AzureActivity (this was also my 'educated' guess). If you had a successful test, could you please send me a print-screen?

Rod_Trent's avatar
Rod_Trent
Icon for Microsoft rankMicrosoft
Apr 03, 2020

jjsantanna Yes...but I'm doing to have to dig deeper. I had never thought to figure this out prior. 

 

It does return information about Cloud Shell, but only relation to success of storage key access for the storage component for Cloud Shell that started and succeeded. This is still a solid indicator that someone initiated Cloud Shell, but it doesn't seem to record much more than that. So, I'll keep digging.

  • jjsantanna's avatar
    jjsantanna
    Brass Contributor
    Apr 17, 2020

    Hi Rod_Trent did you had any chance to take a look on it? 

    • CliveWatson's avatar
      CliveWatson
      Icon for Microsoft rankMicrosoft
      Apr 20, 2020

      jjsantanna 

       

      AFAIK it logs the session, user etc but not commands 

       

      Go to Log Analytics and run query

       

      AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| extend action_ = tostring(parse_json(Authorization).action) 
| summarize count() by ResourceGroup  , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue,  CategoryValue , action_

       

      // List sucess vs. failure 
AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| summarize count(ActivityStatus) by Caller, ActivityStatus
      • jjsantanna's avatar
        jjsantanna
        Brass Contributor
        Apr 20, 2020
        CliveWatson, although your answer is "the best" it still doesn't answer my question. I've observed several attacks that after attackers compromise "the AAD" he/she issued several Cloudshell commands BUT AFAIK there is no way to determine what was done. How can I request this "feature" to the community?

Resources