Azure: User activity logs

Sim1S 106 Reputation points
2021-05-26T14:58:33.557+00:00

Hello everyone,

I'm working on an Azure environment for the first time, and as for my first task I'm requested to study and understand the different types of alerts Azure can generate. I dug up all the documentation I could find on Microsoft Learn, regarding alerts, signals and notifications.

I've seen the type of alerts under Monitor>Alerts (log alerts, activity log alerts and metric alerts) but as for now I couldn't find anything of use for the cause.

Basically, I've been asked to elaborate (if possible) a set of alert rules (or maybe even more than one), which are to be triggered when determined activities are performed by users.

An example of activity that could trigger this kind of alert is: a user sent a large number of e-mails to another e-mail address in a very short time span (to leak information outside of the company).

As I said before, as far as I've read I couldn't find anything of the sort. The only reports about users activities I could find were the ones about risky sign-ins ad login audits from Azure AD. Am I missing something? Can you guys give me a heads-up?

Thank you very much, and feel free to share whatever you have for me please, I'm very much open to any kind of suggestion and advice.
Also let me know whether you need more information, thanks again!

Sim

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,321 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
Accepted answer
  1. James Hamil 22,086 Reputation points Microsoft Employee
    2021-05-28T19:45:09.513+00:00

    Hi @Sim1S ,

    I was able to get some more information for you. My service area works with Azure AD. Setting up alert rules comes under Azure Monitor. We deal with Azure Monitor when it is related to AAD logs monitoring, but the solution to your question is not related to Azure AD. I can help as much as I can but I would recommend posting on the Azure Monitor forum for more specific answers related to that.

    For control over emails and alerts you should engage with 0365/Exchange Online - These are some docs that I think can help you mail flow rules in Exchange Online Office 365 and Recommended Exchange Online Access Policies.

    For the other questions you had:

    • "Which resource is involved in the process?" - Azure monitor deals with Azure resources (compute resources, azure VMs etc). And Diagnostics settings are meant to be configured for those resources.
    • "On which type of resource should I enable it to monitor user activities? Which alerts can be fired according to the same criteria?" The Azure Monitor Overview documentation should help with this.

    I hope I at least was able to point you in the right direction. If this answer helped you please mark it as "Verified" so other users may reference it.

    Best,
    James

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest