Queries Azure activity and sign-in logs with azure-monitor-query and KQL to detect suspicious admin operations, impossible travel, privilege escalation, and resource modifications. For Azure threat hunting and SIEM rules.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
使用 azure-monitor-query 对 Azure Log Analytics 工作区执行 KQL 查询,检测可疑管理操作和登录异常。
Queries Azure Monitor activity and sign-in logs via azure-monitor-query to detect suspicious admin operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments.
Queries Azure Monitor activity and sign-in logs with azure-monitor-query and KQL to detect privilege escalations, impossible travel, suspicious admin ops, and resource changes.
Detects lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL queries, and login anomaly correlations. Identifies privilege escalation, token theft, and cross-tenant transfers for threat hunting.
Share bugs, ideas, or general feedback.
使用 azure-monitor-query 对 Azure Log Analytics 工作区执行 KQL 查询,检测可疑管理操作和登录异常。
from azure.identity import DefaultAzureCredential
from azure.monitor.query import LogsQueryClient
from datetime import timedelta
credential = DefaultAzureCredential()
client = LogsQueryClient(credential)
response = client.query_workspace(
workspace_id="WORKSPACE_ID",
query="AzureActivity | where OperationNameValue has 'MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE' | take 10",
timespan=timedelta(hours=24),
)
关键检测查询:
# 检测新的全局管理员角色分配
query = '''
AuditLogs
| where OperationName == "Add member to role"
| where TargetResources[0].modifiedProperties[0].newValue has "Global Administrator"
'''