Azure Forensics

Forensic Labs
4 min readJul 31, 2023


Continuing our video tutorials on cloud incident response and forensics, our next video is on forensics in Azure:

We’ve built a for automating forensics and incident response in Azure — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in Azure.

How can you prepare for an incident in Azure?

Know Your Data

Identify your crown jewels. Do you have particularly sensitive information, like Personally Identifiable Information (PII) or Payment Card Industry (PCI) data?

If so, you need to know exactly where it lives and what systems process the data. This also includes any backups or logs that might shadow the original data.

Have Backups, And Test They Work

A disaster recovery plan can mitigate not just security incidents like ransomware, but also other likely events such as data center hardware failure. Ransomware is a high risk due to both high impact and relatively high likelihood of occurrence.

Restrict Administrative Accounts

In general, follow the principle of least privilege. In particular, Microsoft provides detailed advice on how to secure administrative accounts in Azure AD.

Require Multi-Factor Authentication for all User Accounts

How can you prepare for an incident in Azure?

Review Azure Security Center Settings

Azure Security Center is a centralized view of both security issues and configuration options. Unfortunately, many of the most useful features need to be enabled (at cost) in advance of any breach.

Limit Network and Remote Access

Limit any connectivity to the internet from your machines as much as possible. A common security issue in Azure is Windows machines with RDP accessible from the internet. This can put you at particular risk of brute-force ransomware attacks.


The general advice is to ensure data is always encrypted at rest and in transit. There are open discussions around how useful encrypting data at rest is with some cloud services. However, you may have particular requirements here if you are in a regulated industry such as finance or healthcare.

Enable Logging

“Forensic readiness” will help you not only detect incidents earlier but also make investigations more thorough and efficient. As you can imagine, the more useful data you have, the more likely you will be able to find the root cause of an incident. Ensuring you have the right logs enabled can make all the difference.

Understand the Environment

It is important to gain an understanding of the environment in which the incident occurred.

If you are an internal SOC, you may already know the answers to these questions in advance of an incident:

  • Where is sensitive data stored?
  • How are users connected to Azure Active Directory?
  • Who are the administrators?
  • Where are logs stored?
  • What Azure Products and Services are in use?
  • Is Active Directory connected to On-Premise or Microsoft 365?

Investigating Active Directory

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It combines core directory services, application access management, and identity protection into a single solution. It enables single sign-on and multi-factor authentication to help protect users from password fatigue and phishing attacks. It also provides group management and device management capabilities.

When responding to an incident:

  • Identify highly privileged users by using the Azure Portal and Azure Graph
  • Identify which applications AD provides authentication for
  • Identify and deactivate potentially compromised user accounts
  • Identify and disable legacy authentication methods

Will Oram has made a great guide on how to specifically respond to incidents involving Azure Active Directory.

Logging in Azure

Azure has a number of different logs, including:

  • Activity Logs: Management events against your subscription e.g., creating a Virtual Machine. Retrieve from the Azure Monitor>Activity Log Service.
  • Resource Logs: Data plane events, for example, retrieving a key from a store. Enabled from Diagnostic settings.
  • Azure Active Directory Logs: User events and other things generally operated by AD. Enabled from AD > Diagnostic Settings.
  • Windows Azure Diagnostics: Logs collected from inside the host. These can be forwarded to your SIEM.
  • Application Logs: General application health and performance.
  • Storage Analytics Logs: Specific to the storage service.
  • Network Security Group Flow Logs: Typical minimal flow logs
  • Security Center: Alarms from potentially malicious events

See also:

Open Source Tools

The community has created a number of tools that may be of use when responding to incidents in Azure:

Native Azure Tools

Microsoft provides advice on how to use the following platforms to investigate security incidents: