Skip to main content

Azure Activity Log Page

Overview

In the Lacework Console, select Resources > Cloud > Azure Activity Log to display the Azure Activity Log page.

To populate the Activity Log data viewed in this page, you must configure an integration with at least one Azure account. For more information, see Integrate Lacework with Azure.

Lacework provides visibility into your account security through the continued monitoring and analysis of Azure Activity Logs from your subscriptions. The Activity Log page provides graphs and panels that summarize the Activity Log data that is collected during this monitoring and analysis.

An Azure tenant identifies an organization (account) that owns and manages Azure resources. These resources reside within Azure subscriptions.

Workflow

Use the tenant drop-down to limit the results displayed in the dashboard to a single specific Azure subscription or all Azure subscriptions integrated with Lacework. Access the tenant drop-down in the top middle of the panel, which defaults to All Tenants.

Use the subscription drop-down to narrow the dashboard results to a specific Azure subscription within the tenant, or select All Subscriptions (default).

At the top of the panel, you can specify global filters that apply to all the data displayed in the Activity Log page. For example, you can filter for activity within the last 2 hours when you need to pinpoint activities that occurred during that time frame.

If no events are listed in the timeline, consider increasing the span of the date range.

To set a date/time range to report on, add a filter using one of the following methods:

  • Select the calendar icon and click the start date. Repeat for the end date.
  • Select a date range in the Date Range drop-down.

Verify the start and end date/times are correct for your date/time range, and change them if required. For example, if you select Last 7 days from the Date Range drop-down at 3 PM on September 20 2021, the following date/time ranges are reported: Sep 14, 2021 12 AM to Sep 20, 2021 12 AM. Note the end time is 12 AM. If you want to view all events for today, change the end time to 3 PM.

Specify a time for the start and end dates by selecting the clock icon.

The Lacework Console also enables you to filter on the following optional parameters.

To filter using these parameters:

  1. To add filters using these parameters, click in the field next to the filter icon.
  2. Select a parameter type such as Role.
  3. Select a filter operator.
    • Select includes if the value of the parameter in the Activity Logs must match the value or regular expression specified in the condition, for example, specify Role includes Contributor if you want the filter to return data generated from user, group, service principal, or managed identity with that role.
    • Select excludes if the value of the parameter in the Activity Logs should not match the value or regular expression specified in the condition, for example, specify User name excludes john.smith@company.com if you do not want the filter to return data generated for that user.
  4. Enter a value or regular expression to compare against. Do not enter quotes, the Lacework Console adds the quotes when you enter return. You can specify the * * wildcard to match one or more characters.
  5. You can optionally add multiple filter checks. In addition to these parameters, you can filter on date/time ranges as described above.

Select the adjacent filter icon in the tables under Timeline to add a filter to columns that support additional filters. This adds a new filter visible at the top of the page.

Visual Graphs

The Lacework Console displays the following visual graphs:

  • Events
  • Alerts
  • Unique Users
  • Unique Operations
  • Unique Subscriptions
  • Unique Caller Regions
  • Unique Resource Types
  • Unique Errors

All data, including these graphs, correlates with the date range and parameters set in the global filter.

Refresh each graph for updated data or expand them to view full screen. Hover over a specific point on one graph to simultaneously pinpoint the data at the same date/time on the other graphs.

Timeline

Locate the Timeline panel to the right of the visual graphs. The Timeline panel displays a timeline of events that match the date/time filter and any specified optional parameter filters set at the top of the page. Because only Activity Log events are assessed on this page, the only applicable event category option for the timeline is Cloud Activity. Use the Timeline to locate and identify the specific date/time when an anomalous cloud activity may have taken effect.

The Timeline panel displays counts of matching events grouped by severity.

To optionally filter events by severities, click one or more severity tiles. For example, if you select only the Critical tile, then critical events are listed exclusively. A selected tile in the Lacework Console has a blue background.

Filtering by severity only affects the events listed in the timeline and has no effect on the other tables in this page.

To view more details about an event in the timeline, click the Expand event details down arrow in the event entry.

For a complete history of a specific event, click the Open Event Dossier icon located to the left of the Expand event details.

Activity Logs

The logs listed in the Activity Logs panel resemble the logs you would see in the Azure Console (Azure > Activity Log). However, the Lacework console allows you to search and utilize filters to identify and analyze actions within your Azure subscription(s).

Click the filter icon to add a filter for the values that support filtering. For example, click the filter icon next to a service to create a filter to only show data from a specific service. The new filter appears at the top of the panel. Use multiple filters, including includes and excludes, to isolate the data you want to view and inspect.

User Details

The User Details panel displays a list of Activity Log user information, including the following details:

  • Principal identifier and type
  • Role
  • User name
  • Tenant identifier and name
  • Subscription identifier and name
  • City, State and Country
  • First seen time
  • Last seen time

This panel is useful when you need to audit or assess user activity. In this panel, you can view details such as what account and location a user engaged in an activity, as well as information such as which subscription the user accesses.

API Error Events

The API Error Events panel displays various events related to the following:

  • Tenant name
  • Subscription name
  • Provider Name
  • Resource type
  • Category
  • Result type
  • Error count

This panel can be helpful when attempting to isolate what API calls are being made to your Azure subscriptions(s), the associated errors that are occurring, and how many times the error occurred. For example, sort the Error Count column in descending order to view a list of the API errors occurring within your Azure subscription to raise visibility into service account roles and the errors they are generating that may need to be investigated and assessed.

Azure Anomaly Alerting

Azure anomaly-based alerting generates intelligent and optimized alerts for your Azure environment by comparing behavior on an hourly basis. This feature detects intrinsic changes such as a user accessing services for the first time or accessing them from a bad source.

List of Events Associated with Node Alerts

Node alerts appear whenever there’s a new node seen for the first time, such as when a user or service principal accesses an Azure service for the first time.

The following polygraph changes result in node alerts as listed below:

Alert TypeEvent NameEvent Type
Node alertNew Azure SP Accessing ResourceNewAzureService
Node alertNew Azure Subscription CreatedNewAzureSubscription
Node alertNew Azure User Logged In From Bad SourceNewAzureUserLoggedInFromBadSource
Node alertNew Azure API Failed With ErrorNewAzureApiFailedWithError

List of Events Associated with Edge Alerts

When a new node is added in the polygraph, a new edge relationship is introduced. For example, an edge alert might occur when users log in from a malicious source or the Azure service is used or fails in ways never seen before.

The following polygraph changes result in edge alerts as listed below:

Alert TypeEvent NameEvent Type
Edge alertNew Azure User Performed Operation on Resource for the First TimeNewAzureUserEventCategory
Edge alertNew Azure API Call Invoked by User Accessed Resource for the First TimeNewAzureApiCallOnResource