Forum Discussion

jjsantanna's avatar
jjsantanna
Brass Contributor
Apr 02, 2020

Where Cloudshell issued commands are logged?

Hi, I'm writing a monitoring rule (KQL) for identifying PowerShell and/or CloudShell issued commands. For the PowerShell, it is 'trivial' using "SecurityEvent" data. However, I didn't find how/where ...
KQL
Log Data
  • CliveWatson's avatar
    CliveWatson
    Apr 20, 2020

    jjsantanna 

     

    AFAIK it logs the session, user etc but not commands 

     

    Go to Log Analytics and run query

     

    AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| extend action_ = tostring(parse_json(Authorization).action) 
| summarize count() by ResourceGroup  , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue,  CategoryValue , action_

     

    // List sucess vs. failure 
AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| summarize count(ActivityStatus) by Caller, ActivityStatus
Lewis-H's avatar
Lewis-H
Iron Contributor
Apr 20, 2020

Users can choose between Bash or PowerShell.

  1. Select Cloud Shell.

  2. Select Bash or PowerShell.

Cloud Shell is managed by Microsoft so it comes with popular command-line tools and language support. Cloud Shell also securely authenticates automatically for instant access to your resources through the Azure CLI or Azure PowerShell cmdlets.

  • jjsantanna's avatar
    jjsantanna
    Brass Contributor
    Apr 20, 2020
    What is this answer about? The question is "where Cloudshell issued commands are LOGGED?" I think you misunderstand something. Or please clarify.

Resources