• Dana Epp

Understanding audit logging in Azure

Auditing and logging of security-related events, and related alerts, are important components in an effective data protection strategy. Security logs and reports provide you with an electronic record of suspicious activities and help you detect patterns that may indicate attempted or successful external penetration of the network, as well as internal attacks. You can use auditing to monitor user activity, document regulatory compliance, perform forensic analysis, and more. Alerts provide immediate notification when security events occur.

In Azure, Microsoft provides you with configurable security auditing and logging options to help you identify gaps in your security policies and mechanisms, and address those gaps to help prevent breaches. They provide centralized monitoring, logging, and analysis systems to provide continuous visibility; timely alerts; and reports to help you manage the large amount of information generated by devices and services. If you enable it.

Herein lies the problem. I wanted to provide an introduction for generating, collecting, and analyzing security logs from services hosted on Azure, since a lot of people don't even know you can do this.

Types of logs in Azure

Azure can produce extensive logging for pretty much every Azure service. These logs are categorized into three main types:

  1. Control/management logs give visibility into the Azure Resource Manager CREATE, UPDATE, and DELETE operations. Azure Activity Logs is an example of this type of log.

  2. Data plane logs give visibility into the events raised as part of the usage of an Azure resource. Examples of this type of log are the Windows event System, Security, and Application logs in a virtual machine and the Diagnostics Logs configured through Azure Monitor

  3. Processed events give information about analyzed events/alerts that have been processed on your behalf. Examples of this type are Azure Security Center Alerts where Azure Security Center has processed and analyzed your subscription and provides concise security alerts

Activity Logs

Using the Activity Log, you can determine the “what, who, and when” for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. You can also understand the status of the operation and other relevant properties.

You can retrieve events from your Activity Log using the Azure portal, CLI, PowerShell cmdlets, and Azure Monitor REST API. Activity logs have a19-day data retention period.

Diagnostic Logs

Azure Diagnostic Logs are emitted by a resource that provide rich, frequent data about the operation of that resource. The content of these logs varies by resource type (for example, Windows event system logs are one category of Diagnostic Log for VMs and blob, table, and queue logs are categories of Diagnostic Logs for storage accounts) and differ from the Activity Log, which provides insight into the operations that were performed on resources in your subscription.

Azure Diagnostics logs offer multiple configuration options that is, Azure portal, using PowerShell, Command-line interface (CLI), and REST API.

Typically you configure diagnostic logs to output to an Azure Storage account, allowing you to set the retention policy on the logs. You can also stream them to Event Hubs for ingestion by a third-party service or custom analytics solution such as PowerBI. If you use OMS, you can take advantage of processing them with Log Analytics.

Application Logs

Finally there are the application logs. These are really in the control of your application. You can leverage things like Application Insights as an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It is automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability.


Inside of all that log info is the fact that most Azure services have a wealth of auditing logs you can tap into. You can even redirect them to your favorite Security Information and Event Management (SIEM) systems using Azure log integration. The point is in many cases you have to turn them on or configure them to be ingested. I HIGHLY recommend that you go through Microsoft's detailed documentation on Azure Auditing and Logging. It will help you understand what can be logged, and how to get access to it.

Stay vigilant. Turn on those logs so you have the data.