Azure Active Directory Audit logs


This post comes from Namgyal Dolker, a senior security program manager in the Azure Security engineering team.

One of the primary concerns from customers is the sense of losing the visibility into what is happening in their cloud service.  They want to understand how to perform many of the same actions and activities In the Cloud as they perform in their On Premise applications. As the sophistication of threats increase, so should the detection of the threats especially in an ‘Assume Breach’ security strategy. Audit logging is a great detective security control.

On top of having the ability to collect and analyze logs from your cloud service as per the Microsoft Azure Security and Audit Log Management whitepaper, the Azure Security team strives to provide the right level of audit logs as it relates to your subscription and your Azure Active Directory tenant. Audit events are logged in a consistent schema and are monitored to prevent tampering and loss hence providing a robust logging system.

Let’s walk through one simple example today:  you would like to track and validate various actions performed with users accounts in Azure, The Azure Active directory audit logs are accessible from the management portal.
 

Audit events currently provided from the management portal are also downloadable per documentation at Azure Active Directory Audit Report Events. It is now convenient for an admin of an organization to gather critical changes that are happening in their Azure Active Directory tenant.

For example, Katelyn Carey, an admin of Contoso is investigating a security incident and as part of that, she wants to know when and who had reset Dominique Trujillo’s password, she can now log into Azure management portal and find the audit log that answers the question. 

Date and Time

Actor

Action

Target

05/27/2015 4:30:04 PM

LewisBowler@contoso.com

Reset user password

DomTru@contoso.com

 

Azure’s operation logs, storage analytics logs and Azure SQL audit logs provide a view into what has happened to your subscription and resources as well.  Stay tuned to this channel for more tips next week!

 

David B. Cross

Engineering Director, Azure Security

 

 

Comments (1)

  1. Brian says:

    How can you trace an "Actor" down if its just a number?

Skip to main content