I've opened up a feedback item for adding documentation and integration with diagnostic settings. Feel free to use that request as a means to drive Microsoft to better document these logs and provide a simple means to export them.
Microsoft Azure records platform-level events to the Activity Log. The Activity Log will contain events related to the creation, modification, and deletion of Azure resources. Examples include the creation of a role assignment or modification of a Virtual Machine's network interface. It is critical for organizations to preserve and analyze these logs to maintain the security of the Azure platform.
Microsoft public documentation focuses on Activity Logs at the subcription scope. However, there are also Activity Logs at the Management Group and Tenant scope. Management Group Activity Logs include important events such as modification of Azure Policy or Azure RBAC. Tenant Activity Logs include modifications of Azure RBAC of the root scope (/).
Azure Monitor maintains 90 days worth of these logs by default. Customers must export the logs to retain longer than 90 days.Activity Logs at the subscription scope can be exported using Azure Diagnostic Settings using the Portal, CLI, or REST API. At this time, Management Group Activity logs can be exported using diagnostic settings only via the REST API. Tenant Activity Logs do not support diagnostic settings at this time and must be manually pulled from the REST API.
This Python solution demonstrates how a service principal could be used to export Tenant Activity Logs. The logs are exported into a single JSON file which can be imported into a SIEM solution or stored in long term storage such as Azure Blob Storage.
- The service principal used by the solution must have the Monitoring Reader RBAC role at the root (/) scope.
- To grant the role assignment to the service principal at the root (/) scope, the user must have the User Access Administrator role at the root (/) scope.
- Create a new service principal and assign the Monitoring Reader RBAC role at the root (/).
mysp=$(az ad sp create-for-rbac --name test-sp1 \
--role "Monitoring Reader" \
--scopes "/")
- Create environment variables for the service principal client id, client secret, and tenant name.
export CLIENT_ID=$(echo $mysp | jq -r .appId)
export CLIENT_SECRET=$(echo $mysp | jq -r .password)
export TENANT_NAME="mytenant.com"
- Create an environment variable for how many days back you want to query the logs for. The script accepts up to a maximum value of 89. A value of 89 will query the past 90 days.
export DAYS=7
- Install the appropriate supporting libraries listed in the requirements.txt file. You can optionally create a virtual environment if you want to keep the libraries isolated to the script. Remember to switch to this virtual environment before running the solution.
pip install -r requirements.txt
- Run the script and the output file will be produced in working directory.
python3 app.py