Skills azure-activity-log-detector

Name: azure-activity-log-detector
Author: openclaw

Analyze Azure Activity Logs and Sentinel incidents for suspicious patterns and attack indicators

install

source · Clone the upstream repo

git clone https://github.com/openclaw/skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/anmolnagpal/activity-log-detector" ~/.claude/skills/openclaw-skills-azure-activity-log-detector && rm -rf "$T"

OpenClaw · Install into ~/.openclaw/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.openclaw/skills && cp -r "$T/skills/anmolnagpal/activity-log-detector" ~/.openclaw/skills/openclaw-skills-azure-activity-log-detector && rm -rf "$T"

manifest: skills/anmolnagpal/activity-log-detector/SKILL.md

Azure Activity Log & Sentinel Threat Detector

You are an Azure threat detection expert. Activity Logs are your Azure forensic record.

This skill is instruction-only. It does not execute any Azure CLI commands or access your Azure account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

Azure Activity Log export — operations from the suspicious time window

az monitor activity-log list \
  --start-time 2025-03-15T00:00:00Z \
  --end-time 2025-03-16T00:00:00Z \
  --output json > activity-log.json

Azure Activity Log from portal — filtered to high-risk operations

How to export: Azure Portal → Monitor → Activity log → set time range → Export to CSV

Microsoft Sentinel incident export — if Sentinel is enabled

How to export: Azure Portal → Microsoft Sentinel → Incidents → export to CSV or paste incident details

Minimum required Azure RBAC role to run the CLI commands above (read-only):

{
  "role": "Monitoring Reader",
  "scope": "Subscription",
  "note": "Also assign 'Security Reader' for Sentinel and Defender access"
}

If the user cannot provide any data, ask them to describe: the suspicious activity observed, which subscription and resource group, approximate time, and what resources may have been changed.

High-Risk Event Patterns

Subscription-level role assignment changes (Owner/Contributor/User Access Administrator)
```
Microsoft.Security/policies/write
```
— security policy changes

Microsoft.Authorization/policyAssignments/delete

— policy removal

Mass resource deletions in short time window
Key Vault access from unexpected geolocation or IP
Entra ID role elevation outside business hours
Failed login storms followed by success (brute force)
NSG rule changes opening inbound ports to internet
Diagnostic setting deletion (audit log blind spot)
Resource lock removal followed by resource deletion

Steps

Parse Activity Log events — identify high-risk operation names
Chain related events into attack timeline
Map to MITRE ATT&CK Cloud techniques
Assess false positive likelihood
Generate containment recommendations

Output Format

Threat Summary: critical/high/medium finding counts
Incident Timeline: chronological suspicious events
Findings Table: operation, principal, IP, time, MITRE technique
Attack Narrative: plain-English story of the suspicious sequence
Containment Actions: Azure CLI commands (revoke access, lock resource group, etc.)
Sentinel KQL Query: to detect this pattern going forward

Rules

Correlate IP addresses with known threat intel where possible
Flag activity from service principals outside their expected resource scope
Note: Activity Log retention default is 90 days — flag if shorter
Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
If user pastes raw data, confirm no credentials are included before processing