Auditing Azure Usage Using Activity Log

In this post, I will explain how all actions in Azure are recorded, can be archived for long term retention, and searched.
 

 

The Importance of Auditing

Organizations require auditing of activity for all kinds of reasons. For some, there is no choice. They have a regulatory requirement to track all activity, no matter how big or small. Even without that legal need, having a log of who has done the different tasks can be very useful.
It is useful to understand who did what and when for assigning responsibility. Perhaps you need to know who deleted a critical resource. You may need to understand when an expensive resource was deployed. I have had a situation where a customer claimed that they did not deploy something that greatly increased costs and because of that, they should not be billed for it. A quick peek into the logs and I could prove that the person complaining was the actual person that was to blame for the expensive resource being deployed. I could even say when they did it. That was followed quickly by an, “Ah! I remember now …”
Having such an audit log can also be useful for troubleshooting. Maybe something stops working at a certain time. For example, maybe a SQL Server stops responding on the network at 16:42 on Tuesday. If we have a look into the logs for what was done just before that, maybe we will see a new Network Security Group rule being introduced that blocks the traffic. We can then question the person that the log identified as the culprit to find out why this new firewall rule was created. Then, we can decide if it should be undone or another solution should be found.

The Activity Log

All activity in your Azure tenant or subscription can be found in the Activity Log. Open the navigation bar on the left, click More Services, and search for Activity Log.
Here you can find a history of up to 90 days for every action in your Azure tenant. Do not worry, we can keep more than 90 days activity if we need to.

 
At the top, you will find a set of controls to filter/search the history. The following filter controls are available:

• Subscription: Select a single Azure subscription in your tenant.
• Timespan: Choose from a selected set of time windows (up to 1 month) or a custom start and end date/time range.
• Resource Group: Filter the history to a specific deployment in a subscription.
• Event Category: There are a number of types of events that you can choose from.
• Resource: If you select a resource group, then you can search the history of a specific resource.
• Event Severity: Are you looking for Critical, Error, Warning, or Informational events?
• Resource Type: If you do not select Resource Group, then you can filter by a type of resource, such as Virtual Machines (Microsoft.Compute/Virtual Machines) or Network Security Groups (Microsoft.Network/NetworkSecurityGroups).
• Event Initiated By: Perhaps you need to search for actions by a specific user (user principal name) or Azure service.
• Operation: What kind of operation was it? If you type, “virtual machine” into Operation, a list of all virtual machine operations will appear. You can select the one(s) that you want to search for.
• Search: This is a cover-all-bases approach, where you can look for certain keywords.

Below I have filtered the activity log to look for actions to a virtual machine called vm-petri-02 in the rg-petri resource group. I can see that someone (I am innocent, I tell ya!) deleted a virtual machine and quickly recreated it. If you select the event and click JSON, you can find a lot of information about the specific event. Note the ability to save the results as a CSV file.

 
Note that you can click the Save (Diskette) button to save your search with a name of your choosing. When you reopen Activity Log, you can expand Select Query to run that same search again.
If you click the Pin button, your search will be pinned to the Dashboard. If you click the tile, the Activity Log will open.

The Importance of Identity

The Activity Log is useless if every administrator/operator signs in as the default administrator, for example: admin@tenant.onmicrosoft.com. All too often, almost always, this is what people seem to be doing in my experience. It is vital that this account only be used to add each administrator’s or operator’s own account. One way to do this is by having guest users come from their own tenant (Office 365), another tenant (Microsoft partners), or from a domain controller (via Azure AD Connect) to sign into Azure.

Long Term Retention

Azure will retain up to 90 days of an audit history in the Activity Log. Some organizations will need to keep this kind of history for years. Luckily, Azure makes it easy and cost effective to keep this history.
We can configure the Activity Log to export the audit trail to a storage account. I have configured a storage account as follows:

• Type: Blob – Cool (to minimize costs)
• Resilience: GRS (for facility and region fault tolerance)

You could restrict access to this storage account by placing it into a secured resource group. I have tested this idea but you might set up a restricted access subscription in the same tenant and place the storage account here.
Configuring retention is refreshingly simple. Open Activity Log and click Export (at the top). Then you will configure it as follows:

• Subscription: Select the subscription from your tenant that you are configuring an export to.
• Regions: Select all or some regions to save activity data from.
• Export to a Storage Account or Export to an Event Hub: Pick the destination to save the data to. I am saving to my storage account.
• Retention: When should Azure automatically purge old data from the storage account? The default of 0 keeps an infinite history. You are responsible for cleaning out old data. You can use the slider to go from 0 to 365 days.

 
After you click Save, Azure will start exporting data, in JSON format, to a container (folder) structure in your selected storage account.

You can download any of the JSON files or you can ingest them into other analysis or logging systems.