Lacework provides visibility into your account security through the continued monitoring and analysis of Azure Activity Logs from your subscriptions. The Activity Log page provides graphs and panels that summarize the Activity Log data that is collected during this monitoring and analysis. Lacework ingests activity logs only, see Log Types for more information.
Select Cloud logs > Azure Activity Log in the Lacework Console to display the Azure Activity Log page.
To populate the Activity Log data viewed in this page, you must configure an integration with at least one Azure account. For more information, see Integrate Lacework with Azure.
An Azure tenant identifies an organization (account) that owns and manages Azure resources. These resources reside within Azure subscriptions.
Use the tenant filter to limit the results displayed in the dashboard to a single specific Azure subscription or all Azure subscriptions integrated with Lacework. Use the subscription filter to narrow the results to a specific Azure subscription within the tenant or select All Subscriptions (default).
Use the following methods to further refine the data displayed on the CloudTrail page.
- Use the search bar or filters at the top of the page to filter by specific fields, operators, and values. You can specify the * wildcard to match one or more characters. Additionally, some table's column values let you add a filter by selecting the adjacent funnel icon.
- To remove an active filter, click its filter and then click Reset or x. To remove all filters, click Reset, which is next to the filters.
To change the time range, use the horizontal arrows to move to another period, select a different period, or select Custom.
Only information found during the specified date range is reported. For example, if 9 days ago there was specific behavior and the specified range is latest week, this behavior is not listed.
The Lacework Console displays the following visual graphs:
- Unique Users
- Unique Operations
- Unique Subscriptions
- Unique Caller Regions
- Unique Resource Types
- Unique Errors
All data, including these graphs, correlates with the date range and parameters set in the global filter.
All Activity Log alerts broken out by severity.
In the Polygraph panel, you can visualize your data in a streamlined way that can help identify any misconfigurations or events that both should and should not be occurring.
For Activity Logs, the Polygraph displays API behavior in the following order from left to right:
Subscription Name -> Caller IP Address -> Principal ID (User/Service/Group) -> Provider Name -> Resource Type -> Operation -> Resource ID -> Result Type
The logs listed in the Activity Logs panel resemble the logs you would see in the Azure Console (Azure > Activity Log). However, the Lacework console allows you to search and utilize filters to identify and analyze actions within your Azure subscription(s).
Click the filter icon to add a filter for the values that support filtering. For example, click the filter icon next to a service to create a filter to only show data from a specific service. The new filter appears at the top of the panel. Use multiple filters, including includes and excludes, to isolate the data you want to view and inspect.
The User Details panel displays a list of Activity Log user information, including the following details:
- Principal identifier and type
- User name
- Tenant identifier and name
- Subscription identifier and name
- City, State and Country
- First seen time
- Last seen time
This panel is useful when you need to audit or assess user activity. In this panel, you can view details such as what account and location a user engaged in an activity, as well as information such as which subscription the user accesses.
API Error Events
The API Error Events panel displays various events related to the following:
- Tenant name
- Subscription name
- Provider Name
- Resource type
- Result type
- Error count
This panel can be helpful when attempting to isolate what API calls are being made to your Azure subscriptions(s), the associated errors that are occurring, and how many times the error occurred. For example, sort the Error Count column in descending order to view a list of the API errors occurring within your Azure subscription to raise visibility into service account roles and the errors they are generating that may need to be investigated and assessed.
Azure Anomaly Alerting
Azure anomaly-based alerting generates intelligent and optimized alerts for your Azure environment by comparing behavior on an hourly basis. This feature detects intrinsic changes such as a user accessing services for the first time or accessing them from a bad source. For the list of Azure alerts, see Alert Types.