We are excited to formally announce the public availability of Azure Activity Log Axe, an open-source tool designed to simplify and improve the analysis of Azure Activity logs. The tool, initially unveiled at the fwd:cloudsec conference in Washington D.C. a few months ago, has since been quietly assisting engineers, researchers, and analysts in the cloud security community to navigate the complexities of Azure Activity logs. Following its recent spotlight at Blue Team Con earlier this month, Permiso is now officially introducing this tool to the wider cloud community, highlighting its significant features including a newly added GUI viewer option.
Azure Activity Log Axe addresses a critical challenge in Azure log analysis by employing the "Axe Key" concept, a method that provides a more consistent and reliable way to group transactional events in Azure Activity logs, with a focus on the “Administrative” log category, a task that has long been a pain point for security professionals.
"When analyzing Azure Activity logs, security teams often struggle with the inconsistency of OperationId and CorrelationId for grouping related events, this lead me to the creation of the Axe Key" said Nathan Eades, Senior Threat Researcher and lead of the Advanced Cyber Intel & Detection division of Permiso’s P0 Labs. Looking only at the transactional logs, you may have operations that are a few logs, tens, or one hundred, these transactional logs start to feel like a burden. "This becomes especially problematic when additional statuses like 'Accepted' are present, making it challenging to track a single operation from start to finish. Azure Activity Log Axe solves this by providing a more reliable grouping mechanism, helping security teams quickly cut through the noise to better understand activity in their Azure environment" said Eades.
The Axe Key method ensures a stronger grouping mechanism by maintaining consistency across all events in an operation, providing a comprehensive view from start to end, and including key details such as final status, subStatus, and any relevant metadata. This approach significantly reduces the time and effort required to analyze Azure Activity logs, allowing security teams to focus on identifying and responding to potential threats.
The flow diagram illustrates the power of Azure Activity Log Axe and the Axe Key itself. In 'Transactional Chaos,' we see the initial problem: Operation Ids fail to group events clearly, especially in this case, for final statuses or any status after an initial status of "Accepted". This makes tracking a full operation challenging. As we follow the flow lines to the 'Transactional Calm' section, we see how the Axe Key coherently links related events across statuses and timestamps. Finally, 'Axe Key Simplification' demonstrates the tool's ultimate goal: a streamlined view that collapses multiple transactional log entries into the single operation. This progression from chaos to clarity shows how Azure Activity Log Axe cuts through complex log data, offering security teams a powerful tool for efficient Azure environment analysis and faster threat detection.
A key highlight of this updated public release is the introduction of a new GUI viewer option using Dash AG-Grid, enhancing the tool's usability and making it more friendly to those who may be more adverse to the command line.
Azure Activity Log Axe remains an open-source tool, reflecting Permiso's ongoing commitment to empowering the cloud security community. By making this enhanced version freely available, Permiso aims to elevate the overall security posture of organizations using Azure, enabling them to better detect and respond to potential threats. This will continue as the tool includes it’s own roadmap in the GitHub repository.
Use Examples:
Usage: azure-activity-log-axe [OPTIONS] COMMAND [ARGS]...
Azure Activity Log Axe: Simplify and understand your logs.
Options:
--subscription-id TEXT Azure Subscription ID [required]
--start-time TEXT Filter Start Time (If start & end time are not both provided, defaults to
last 24 hours. UTC)
--end-time TEXT Filter End Time (If start & end time are not both provided, defaults to last
24 hours. UTC)
--correlation-id TEXT Azure Correlation ID (Must be within start & end time (Microsoft Endpoint
Requirement))
--select TEXT SUB: Field Selection. Comma Delimited E.g. axeKey,caller,operationName (Used
by the Show & Save commands.)
--field-value-select TEXT SUB: Select rows based on the value of a field. E.g.
operationName:microsoft.storage/storageaccounts/listKeys/action (Used by the
Show & Save commands. Does NOT support nested field. See README for more
examples.)
--field-value-deselect TEXT SUB: De-select rows based on the value of a field. E.g.
operationName:microsoft.storage/storageaccounts/listKeys/action (Used by the
Show & Save commands. Does NOT support nested field. See README for more
examples.)
--output-type [json|csv] SUB: Output Type. (Used by the Show & Save commands.)
--filepath TEXT SUB: Absolute File Path. (Used by the Save commands.)
-h, --help Show this message and exit.
Commands:
aggrid Browser GUI - Navigate the data using AG-Grid.
interactive Interactive REPL Interface to run Azure Activity Log Axe.
save-axe-keyed-data Saves the original azure activity log data plus axeKey to a json or csv file.
save-simplified-data Saves the simplified azure activity log data to a json or csv file.
show-axe-keyed-data Prints the original azure activity log data plus axeKey (json or csv), to the cli.
show-simplified-data Prints the simplified azure activity log data (json or csv) to the cli.
summary Prints a summary of axe keyed log details.
Run Azure Activity Log Axe over a set time, using the Administrative log category, in interactive mode.
python3 azure-activity-log-axe --subscription-id <subId> --start-time 2024-09-05T04:00:00.000000Z --end-time 2024-09-16T23:05:33.5555555Z --field-value-select category:Administrative interactiv
From interactive mode, get summary:
summary
From interactive mode, start AG-Grid:
aggrid
python3 azure-activity-log-axe --subscription-id <subId> --start-time 2024-09-05T04:00:00.000000Z --end-time 2024-09-16T23:05:33.5555555Z --field-value-select category:Administrative aggrid
python3 azure-activity-log-axe --subscription-id <subId> --start-time 2024-09-05T04:00:00.000000Z --end-time 2024-09-16T23:05:33.5555555Z --field-value-select category:Administrative -select axeKey,caller,operationName,statusCounts show-simplified-data
Permiso is an identity threat detection company that finds evil in cloud-based environments. Permiso creates session constructs for the identities across cloud and SaaS applications to break down visibility boundaries and understand user behavior and intent across your environment. These session constructs are developed by stitching together activity across cloud applications, services, and providers to create an immutable ledger of activity in an environment. Permiso creates a unified identity across authentication boundaries and presents this as a forensically sound access chain. By tying all activity back to a singular identity, Permiso is able to detect access anomalies, behavioral anomalies, or specific activities associated with compromised credentials. For more information, please visit our website or find us on Twitter and LinkedIn.