Skill

analyzing-azure-activity-logs-for-threats

From asi

Queries Azure Monitor activity and sign-in logs via azure-monitor-query to detect suspicious admin operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments.

Python

Azure

security

monitoring

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When investigating security incidents that require analyzing azure activity logs for threats

SKILL.md

Similar Skills

analyzing-azure-activity-logs-for-threats

5.9k

Queries Azure Monitor activity and sign-in logs with azure-monitor-query and KQL to detect privilege escalations, impossible travel, suspicious admin ops, and resource changes.

3 files

cybersecurity-skills

analyzing-azure-activity-logs-for-threats

Queries Azure activity and sign-in logs with azure-monitor-query and KQL to detect suspicious admin operations, impossible travel, privilege escalation, and resource modifications. For Azure threat hunting and SIEM rules.

3 files

cybersecurity-skills-zh

detecting-azure-lateral-movement

Detects lateral movement in Azure AD/Entra ID using Microsoft Graph API audit logs, Azure Sentinel KQL queries, and sign-in anomaly correlations to identify privilege escalation, token theft, and pivoting.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Analyzing Azure Activity Logs for Threats

When to Use

When investigating security incidents that require analyzing azure activity logs for threats

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Use azure-monitor-query to execute KQL queries against Azure Log Analytics workspaces, detecting suspicious admin operations and sign-in anomalies.

from azure.identity import DefaultAzureCredential from azure.monitor.query import LogsQueryClient from datetime import timedelta credential = DefaultAzureCredential() client = LogsQueryClient(credential) response = client.query_workspace( workspace_id="WORKSPACE_ID", query="AzureActivity | where OperationNameValue has 'MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE' | take 10", timespan=timedelta(hours=24), )

Key detection queries:

Role assignment changes (privilege escalation)

Resource group and subscription modifications

Key vault secret access from new IPs

Network security group rule changes

Conditional access policy modifications

Examples

# Detect new Global Admin role assignments query = ''' AuditLogs | where OperationName == "Add member to role" | where TargetResources[0].modifiedProperties[0].newValue has "Global Administrator" '''