Do digital forensics exist for Azure?
So today I was talking with friend and fellow MVP Susan Bradley about digital forensics in Azure. As part of the discussion she shared a great blog post by Sherri Davidoff on Exposing the Secret Office 365 Forensic Tool.
This focuses in on an interesting dilemma when it comes to the pace of innovation that is coming out of Microsoft right now. In the quest to deliver more value in the Microsoft Cloud the documentation can't always keep up with what is going on. Normally, the pattern is something like this:
Developers build our the RESTFUL APIs
Those APIs get build into Azure CLI and Azure PowerShell
Those calls get added to the Azure SDK
Those calls are finally documented in detail
Now, I am sure some Microsoft PMs will swear it doesn't work that way, but its what ends up happening. Which means if you WANT to understand how a cloud service works, start with the APIs.
How? Look to the Azure Resource Explorer. It helps you discover the Azure Resource Management (ARM) APIs, get API documentation and actually make API calls directly into your own subscription. Here is a screencast from back in 2015 that David Ebbo did to show how to use the tool.
Of course, this does mean you have to understand how API calls work. I have always said that IT professionals should have a decent understanding of how this sort of thing works. If you don't, you really miss out on this kind of stuff. You can even look right at the code for this tool as Microsoft open sourced it, and leaves it available for all to see here.
Of course, not all APIs in Azure are done with ARM. However, when Project Kudu was made public back in 2012 (when the new Azure Portal and cmd line tools went live) it opened up a huge ecosystem for us to learn, love and play. You can explore the data and APIs with Microsoft Graph, and look deeper to security in the new Intelligent Security Graph.
To answer the original question, YES there is a wealth of data and information you can use for digital forensics in Azure. You just need to know where to look for them. Arguments can be made that it isn't easy... which is why things like ARM Explorer and the Graphs exist.