Skill

analyzing-azure-activity-logs-for-threats

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious admin operations, impossible travel, privilege escalation. Use for Azure threat hunting or building cloud SIEM detections.

Azure

Python

security

npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkit

Popularity

Stars

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/cybersec-toolkit:analyzing-azure-activity-logs-for-threats

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

- When investigating security incidents that require analyzing azure activity logs for threats

SKILL.md

88 lines · ~609 tokens

Similar Skills

analyzing-azure-activity-logs-for-threats

13.2k

3 files

cybersecurity-skills

analyzing-azure-activity-logs-for-threats

Queries Azure Monitor activity and sign-in logs via azure-monitor-query to detect suspicious admin operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments.

asi

analyzing-azure-activity-logs-for-threats

Queries Azure activity and sign-in logs with azure-monitor-query and KQL to detect suspicious admin operations, impossible travel, privilege escalation, and resource modifications. For Azure threat hunting and SIEM rules.

3 files

cybersecurity-skills-zh

Stats

LanguagePython

Stars11

Forks2

MaintenanceExcellent

Last CommitJun 10, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

Analyzing Azure Activity Logs for Threats

When to Use

When investigating security incidents that require analyzing azure activity logs for threats

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Use azure-monitor-query to execute KQL queries against Azure Log Analytics workspaces, detecting suspicious admin operations and sign-in anomalies.

from azure.identity import DefaultAzureCredential from azure.monitor.query import LogsQueryClient from datetime import timedelta credential = DefaultAzureCredential() client = LogsQueryClient(credential) response = client.query_workspace( workspace_id="WORKSPACE_ID", query="AzureActivity | where OperationNameValue has 'MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE' | take 10", timespan=timedelta(hours=24), )

Key detection queries:

Role assignment changes (privilege escalation)

Resource group and subscription modifications

Key vault secret access from new IPs

Network security group rule changes

Conditional access policy modifications

Examples

# Detect new Global Admin role assignments query = ''' AuditLogs | where OperationName == "Add member to role" | where TargetResources[0].modifiedProperties[0].newValue has "Global Administrator" '''