with one click
analyzing-azure-activity-logs-for-threats
">"
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Menu
">"
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
Command injection testing methodology covering OS command injection, code injection, filter evasion, blind command injection, and shell-specific techniques for bash, PowerShell, and cmd.exe.
Multi-step exploit chaining methodology for combining low-severity findings into full compromise paths. Covers attack chain scoring, approval gates, and systematic approach to turning individual findings into complete attack paths.
Comprehensive privilege escalation methodology for Linux and Windows. Covers kernel exploits, SUID binaries, service misconfigurations, credential harvesting, and both local privilege escalation paths.
Comprehensive reconnaissance methodology covering OSINT, subdomain enumeration, technology fingerprinting, DNS reconnaissance, and attack surface mapping. Includes passive and active recon techniques with OPSEC considerations.
Comprehensive SQL injection testing methodology covering Union-based, Error-based, Blind (Boolean/Time-based), Stacked queries, and WAF bypass techniques. Includes database-specific payloads for MySQL, PostgreSQL, MSSQL, Oracle, SQLite, and NoSQL injection.
Comprehensive Server-Side Request Forgery (SSRF) testing methodology covering basic SSRF, blind SSRF, DNS rebinding, cloud metadata exploitation, and gopher/redis attacks. Includes bypass techniques and automation.
| name | analyzing-azure-activity-logs-for-threats |
| description | > |
Use azure-monitor-query to execute KQL queries against Azure Log Analytics workspaces, detecting suspicious admin operations and sign-in anomalies.
from azure.identity import DefaultAzureCredential
from azure.monitor.query import LogsQueryClient
from datetime import timedelta
credential = DefaultAzureCredential()
client = LogsQueryClient(credential)
response = client.query_workspace(
workspace_id="WORKSPACE_ID",
query="AzureActivity | where OperationNameValue has 'MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE' | take 10",
timespan=timedelta(hours=24),
)
Key detection queries:
# Detect new Global Admin role assignments
query = '''
AuditLogs
| where OperationName == "Add member to role"
| where TargetResources[0].modifiedProperties[0].newValue has "Global Administrator"
'''