Where Cloudshell issued commands are logged?


Hi, I'm writing a monitoring rule (KQL) for identifying PowerShell and/or CloudShell issued commands. For the PowerShell, it is 'trivial' using "SecurityEvent" data. However, I didn't find how/where are the logs for commands issued using CloudShell. Just adding some context: I'm willingly to monitor the reconnaissance phase (e.g. CloudShell: > Get-AzResource). Could you give me some direction on where to find those log-lines if those exist?

Thanks in advance.

10 Replies

@jjsantanna I'm testing to be sure...but that data should be contained in the AzureActivity table (if you have it enabled). Its going to be a bit before my data refreshes, but if you've run Cloud Shell recently, run the following query bit on its own:


search "Cloud Shell"

@rodtrent did you test what you sent to me? your idea was the first test that I did, two weeks ago =D and NO, it doesn't work (at least not to me). And NO, it didn't show anything related Cloud Shell at AzureActivity (this was also my 'educated' guess). If you had a successful test, could you please send me a print-screen?

@jjsantanna Yes...but I'm doing to have to dig deeper. I had never thought to figure this out prior. 


It does return information about Cloud Shell, but only relation to success of storage key access for the storage component for Cloud Shell that started and succeeded. This is still a solid indicator that someone initiated Cloud Shell, but it doesn't seem to record much more than that. So, I'll keep digging.

Hi @rodtrent did you had any chance to take a look on it? 

best response confirmed by jjsantanna (Contributor)



AFAIK it logs the session, user etc but not commands 


Go to Log Analytics and run query


| where ResourceGroup startswith "CLOUD-SHELL"
| extend action_ = tostring(parse_json(Authorization).action) 
| summarize count() by ResourceGroup  , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue,  CategoryValue , action_ 


// List sucess vs. failure 
| where ResourceGroup startswith "CLOUD-SHELL"
| summarize count(ActivityStatus) by Caller, ActivityStatus
@CliveWatson, although your answer is "the best" it still doesn't answer my question. I've observed several attacks that after attackers compromise "the AAD" he/she issued several Cloudshell commands BUT AFAIK there is no way to determine what was done. How can I request this "feature" to the community?



Please take a look at and provide feedback.  I had a very quick look, and didn't see a similar request. 


I also see questions and answers in the Azure community, maybe worth asking there as well? i.e. 


Thanks Clive

Users can choose between Bash or PowerShell.

  1. Select Cloud Shell.

  2. Select Bash or PowerShell.

Cloud Shell is managed by Microsoft so it comes with popular command-line tools and language support. Cloud Shell also securely authenticates automatically for instant access to your resources through the Azure CLI or Azure PowerShell cmdlets.

What is this answer about? The question is "where Cloudshell issued commands are LOGGED?" I think you misunderstand something. Or please clarify.
To close this's a query that can be used by Microsoft Sentinel to track Cloud Shell usage using the AzureActivity table: