security analyst security skill risk: medium

Azure Activity Logs Threat Analyzer

The prompt instructs the model to use azure-monitor-query to execute KQL queries against Azure Log Analytics workspaces, detecting suspicious admin operations and sign-in anomalies…

Policy sensitive
Human review
External action: medium

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: analyzing-azure-activity-logs-for-threats
description: "Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative"
---
# Analyzing Azure Activity Logs for Threats


## When to Use

- When investigating security incidents that require analyzing azure activity logs for threats
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Instructions

Use azure-monitor-query to execute KQL queries against Azure Log Analytics workspaces,
detecting suspicious admin operations and sign-in anomalies.

```python
from azure.identity import DefaultAzureCredential
from azure.monitor.query import LogsQueryClient
from datetime import timedelta

credential = DefaultAzureCredential()
client = LogsQueryClient(credential)

response = client.query_workspace(
    workspace_id="WORKSPACE_ID",
    query="AzureActivity | where OperationNameValue has 'MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE' | take 10",
    timespan=timedelta(hours=24),
)
```

Key detection queries:
1. Role assignment changes (privilege escalation)
2. Resource group and subscription modifications
3. Key vault secret access from new IPs
4. Network security group rule changes
5. Conditional access policy modifications

## Examples

```python
# Detect new Global Admin role assignments
query = '''
AuditLogs
| where OperationName == "Add member to role"
| where TargetResources[0].modifiedProperties[0].newValue has "Global Administrator"
'''
```

INPUTS

WORKSPACE_ID REQUIRED: Azure Log Analytics workspace identifier

REQUIRED CONTEXT

workspace_id

OPTIONAL CONTEXT

timespan
specific detection scenarios

EXPECTED OUTPUT

Format

markdown

Constraints

include python code snippets
list key detection queries

EXAMPLES

Includes Python code snippet using azure-monitor-query and one KQL query example for detecting Global Administrator role assignments.

CAVEATS

Missing context

Desired output format for the analysis or detections
Exact success criteria or validation steps

Ambiguities

description cuts off at 'detect suspicious administrative'

QUALITY

OVERALL: 0.70
CLARITY: 0.80
SPECIFICITY: 0.65
REUSABILITY: 0.70
COMPLETENESS: 0.60

IMPROVEMENT SUGGESTIONS

Complete the truncated sentence in the description field.
Add an explicit 'Output Format' section specifying how results should be structured.

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.