What does azure-monitor-audit monitor?

It configures diagnostic settings and log analytics to audit Azure activity using AuditEvent, Administrative, and Security data.

Which logs are enabled or exported?

AuditEvent is enabled in diagnostic settings; Administrative and Security are included in the activity log export.

Where should I run the queries?

In the linked Log Analytics workspace, using AuditLogs for failed events and AzureActivity for administrative changes.

azure-monitor-audit

npx machina-cli add skill BagelHole/DevOps-Security-Agent-Skills/azure-monitor-audit --openclaw

Files (1)

SKILL.md

1.6 KB

Azure Monitor Audit

Audit Azure activity with Monitor and Activity Logs.

Diagnostic Settings

# Enable diagnostic settings
az monitor diagnostic-settings create \
  --name audit-logs \
  --resource /subscriptions/{sub}/resourceGroups/{rg}/providers/... \
  --logs '[{"category":"AuditEvent","enabled":true}]' \
  --workspace /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/{workspace}

Activity Log Export

# Export activity log to Log Analytics
az monitor diagnostic-settings subscription create \
  --name activity-log-export \
  --location global \
  --logs '[{"category":"Administrative","enabled":true},{"category":"Security","enabled":true}]' \
  --workspace /subscriptions/.../workspaces/audit-workspace

Log Analytics Queries

// Failed login attempts
AuditLogs
| where TimeGenerated > ago(24h)
| where ResultType != "0"
| project TimeGenerated, Identity, ResultDescription, IPAddress

// Administrative changes
AzureActivity
| where CategoryValue == "Administrative"
| where OperationNameValue contains "write" or OperationNameValue contains "delete"
| project TimeGenerated, Caller, OperationNameValue, ResourceGroup

Best Practices

Centralize to Log Analytics
Long-term archive to Storage
Configure alerts
Regular query reviews

Source

git clone https://github.com/BagelHole/DevOps-Security-Agent-Skills/blob/main/compliance/auditing/azure-monitor-audit/SKILL.md

View on GitHub

Overview

Azure Monitor Audit configures diagnostic settings and Log Analytics to collect and analyze Azure activity data. It centralizes auditing for security and compliance, enabling visibility, alerts, and long-term retention.

How This Skill Works

The skill creates diagnostic settings to forward AuditEvent logs to a Log Analytics workspace and sets up an activity log export for Administrative and Security events. It provides Kusto queries on AuditLogs and AzureActivity to identify failed logins and administrative changes for ongoing monitoring.

When to Use It

When you need centralized auditing of Azure activity across subscriptions
During security or compliance audits requiring traceability for changes
To detect failed login attempts and security-related events
To monitor and review administrative changes (write/delete) in Azure
To enable long-term retention and alerting on critical activities

Quick Start

Step 1: Enable diagnostic settings to collect AuditEvent logs for resources using az monitor diagnostic-settings create
Step 2: Export activity logs to a Log Analytics workspace with az monitor diagnostic-settings subscription create
Step 3: Run Kusto queries against AuditLogs and AzureActivity to identify failed logins and administrative changes

Best Practices

Centralize to Log Analytics
Long-term archive to Storage
Configure alerts
Regular query reviews
Verify diagnostic settings and enabled logs

Example Use Cases

Detect failed login attempts by querying AuditLogs for non-zero ResultType in the last 24 hours
Track administrative changes by filtering AzureActivity where CategoryValue is Administrative and OperationNameValue contains write or delete
Export activity logs to a global Log Analytics workspace for consolidated monitoring
Set up alerts on AuditEvent or Administrative changes to notify security teams
Regularly review queries against AuditLogs and AzureActivity to ensure policy compliance

Frequently Asked Questions

Add this skill to your agents