Preview Version 1.7 (2017-04-20) http://azureplatform.azurewebsites.net/ OUTDATED (April 2017) – Azure DevOps not listed, for example, and AKS is not there, but ACS is there – Sentinel also missing (Feb 2019) http://azureplatform.azurewebsites.net/ * Preview Services

Global Enterprise Cloud Platform https://azure.microsoft.com/en-in/regions/services/ https://azure.microsoft.com/en-us/regions/ Global Enterprise Cloud Platform Available in 46 regions (+ 8 announced = 54) across 140 countries

Azure Activity Log https://docs.microsoft.com/en-us/azure/azure- monitor/platform/activity-logs-overview#export-the-activity-log- with-log-profiles “The Activity Log does not include read (GET) operations or operations for resources that use the Classic/"RDFE" model.” @codingoutloud

Event Grid https://docs.microsoft.com/en- us/azure/event-grid/delivery- and-retry https://docs.microsoft.com/en- us/azure/event-grid/event- schema-resource-groups Microsoft.Resources.ResourceWriteSuccess Raised when create or update operation succeeds.

Parse JSON "http://schemas.xmlsoap.org/ws /2005/05/identity/claims/emaila ddress": "azureblockhead@gmail.com", https://docs.microsoft.com/en- us/azure/logic-apps/logic-apps- azure-functions

Wire EventGrid to an Azure Subscription https://docs.microsoft.com/en- us/azure/event-grid/event- sources

https://portal.azure.com/#blade/Microsoft_Azure_ActivityLog/ActivityLogBlade { "authorization": { "action": "Microsoft.Storage/storageAccounts/blobServices/write", "scope": "/subscriptions/78262ac9-3139-45aa-bf7d- fac56ce57c4f/resourcegroups/whoaz/providers/Microsoft.Storage/st orageAccounts/disposablelikezblobby/blobServices/default" }, "caller": "azureblockhead@gmail.com",

FILTERS Microsoft.Resources/deploymen ts Success "category": { "value": "Administrative", "authorization": { "action": "Microsoft.Advisor/register/acti on” "action": "…/write”

{ "authorization": { "action": "Microsoft.Advisor/register/action", "scope": "/subscriptions/78262ac9-3139-45aa-bf7d-fac56ce57c4f" }, "caller": "azureblockhead@gmail.com", "channels": "Operation", "claims": { "aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/6d45d5f0-f09b-4cab-aceb-3b3d998e24d8/", "iat": "1556318865", "nbf": "1556318865", "exp": "1556322765", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AUQAu/8LAAAAyfil/s0KOmfjqfZFN97Z7eXCosUny49IEiWD5HeU8J7JwXEIi9D8lS/bkXP3fk4qGNSwX37lxa9H/NIj1MwJUw==", "altsecid": "1:live.com:00034001192496B8", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "azureblockhead@gmail.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Blockhead", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "Azure", "groups": "fe9bfa9b-13b1-45dc-a60d-2a1ded625df7", "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com", "ipaddr": "108.7.76.74", "name": "Azure Blockhead", "http://schemas.microsoft.com/identity/claims/objectidentifier": "25043ccf-2105-4701-b546-1b406565cc45", "puid": "1003200045E6C2B0", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "kp1IsDLo8lmPKqUiS7y87hOAlXvGIIvmGAns_mNmB-o", "http://schemas.microsoft.com/identity/claims/tenantid": "6d45d5f0-f09b-4cab-aceb-3b3d998e24d8", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "live.com#azureblockhead@gmail.com", "uti": "_7DfqDe8vEaPE3rYHVk4AA", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10" "correlationId": "52bb68b0-691f-454a-b04f-4fa311a96a51", "description": "", "eventDataId": "63c9a7d2-8cd2-406f-b38a-7c236dd3401d", "eventName": { "value": "EndRequest", "localizedValue": "End request" "category": { "value": "Administrative", "localizedValue": "Administrative" "eventTimestamp": "2019-04-26T22:56:41.3097106Z", "id": "/subscriptions/78262ac9-3139-45aa-bf7d-fac56ce57c4f/providers/Microsoft.Advisor/events/63c9a7d2-8cd2-406f-b38a-7c236dd3401d/ticks/636919162013097106", "level": "Informational", "operationId": "52bb68b0-691f-454a-b04f-4fa311a96a51", "operationName": { "value": "Microsoft.Advisor/register/action", "localizedValue": "Register with the Provider" "resourceGroupName": "", "resourceProviderName": { "value": "Microsoft.Advisor", "localizedValue": "Microsoft.Advisor" "resourceType": { "value": "", "localizedValue": "" "resourceId": "/subscriptions/78262ac9-3139-45aa-bf7d-fac56ce57c4f/providers/Microsoft.Advisor", "status": { "value": "Succeeded", "localizedValue": "Succeeded" "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" "submissionTimestamp": "2019-04-26T22:57:07.0956218Z", "subscriptionId": "78262ac9-3139-45aa-bf7d-fac56ce57c4f", "properties": { "statusCode": "OK", "serviceRequestId": null "relatedEvents": [] }

Who Moved My Azure? “The activity log contains all write operations (PUT, POST, DELETE) performed on your resources. It doesn't include read operations (GET). For a list of resource actions, see Azure Resource Manager Resource Provider operations. You can use the audit logs to find an error when troubleshooting or to monitor how a user in your organization modified a resource.” https://docs.microsoft.com/en-us/azure/azure- resource-manager/resource-group-audit @codingoutloud

Event Grid tap by Azure Function https://docs.microsoft.com/en- us/azure/azure- functions/functions-bindings- event-grid DIAGRAM from: https://docs.microsoft.com/en- us/azure/event- grid/overview#event-sources

Questions?

Find this slide deck here Questions? See you at Boston Azure bostonazure.org Find this slide deck here Bill Wilder @codingoutloud codingoutloud@gmail.com blog.codingoutloud.com linkedin.com/in/billwilder

Subliminal  … 0.25