Forum Discussion
Where Cloudshell issued commands are logged?
Hi, I'm writing a monitoring rule (KQL) for identifying PowerShell and/or CloudShell issued commands. For the PowerShell, it is 'trivial' using "SecurityEvent" data. However, I didn't find how/where ...
AFAIK it logs the session, user etc but not commands
Go to Log Analytics and run query
AzureActivity | where ResourceGroup startswith "CLOUD-SHELL" | extend action_ = tostring(parse_json(Authorization).action) | summarize count() by ResourceGroup , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue, CategoryValue , action_// List sucess vs. failure AzureActivity | where ResourceGroup startswith "CLOUD-SHELL" | summarize count(ActivityStatus) by Caller, ActivityStatus
CliveWatson
Microsoft
Microsoft
AFAIK it logs the session, user etc but not commands
Go to Log Analytics and run query
AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| extend action_ = tostring(parse_json(Authorization).action)
| summarize count() by ResourceGroup , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue, CategoryValue , action_
// List sucess vs. failure
AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| summarize count(ActivityStatus) by Caller, ActivityStatus
CliveWatson, although your answer is "the best" it still doesn't answer my question. I've observed several attacks that after attackers compromise "the AAD" he/she issued several Cloudshell commands BUT AFAIK there is no way to determine what was done. How can I request this "feature" to the community?
- CliveWatson
Please take a look at https://feedback.azure.com/forums/598699-azure-cloud-shell and provide feedback. I had a very quick look, and didn't see a similar request.
I also see questions and answers in the Azure community, maybe worth asking there as well? i.e. https://techcommunity.microsoft.com/t5/azure/azure-cloud-shell-error/m-p/70846
Thanks Clive
