Azure Activity solution for Sentinel

Solution: Azure Activity

Azure Activity Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.0.3
Author	Microsoft - support@microsoft.com
First Published	2022-04-18
Last Updated	2026-02-27
Solution Folder	Azure Activity
Marketplace	Azure Marketplace · Popularity: 🟢 High (96%)

The Azure Activity solution for Microsoft Sentinel enables you to ingest Azure Activity Administrative, Security, Service Health, Alert, Recommendation, Policy, Autoscale and Resource Health logs using Diagnostic Settings into Microsoft Sentinel.

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s):

Azure Activity

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
`AzureActivity`	Azure Activity	Analytics, Hunting, Workbooks

Internal Tables

The following 1 table(s) are used internally by this solution's content items:

Table	Used By Connectors	Used By Content
`IdentityInfo`	-	Analytics

Content Items

This solution includes 31 content item(s):

Content Type	Count
Hunting Queries	15
Analytic Rules	14
Workbooks	2

Analytic Rules

Name	Severity	Tactics	Tables Used
Azure Machine Learning Write Operations	Low	InitialAccess, Execution, Impact	`AzureActivity`
Creation of expensive computes in Azure	Low	DefenseEvasion	`AzureActivity`
Mass Cloud resource deletions Time Series Anomaly	Medium	Impact	`AzureActivity`
Microsoft Entra ID Hybrid Health AD FS New Server	Medium	DefenseEvasion	`AzureActivity`
Microsoft Entra ID Hybrid Health AD FS Service Delete	Medium	DefenseEvasion	`AzureActivity`
Microsoft Entra ID Hybrid Health AD FS Suspicious Application	Medium	CredentialAccess, DefenseEvasion	`AzureActivity`
NRT Creation of expensive computes in Azure	Medium	DefenseEvasion	`AzureActivity`
NRT Microsoft Entra ID Hybrid Health AD FS New Server	Medium	DefenseEvasion	`AzureActivity`
New CloudShell User	Low	Execution	`AzureActivity`
Rare subscription-level operations in Azure	Low	CredentialAccess, Persistence	`AzureActivity`
Subscription moved to another tenant	Low	Impact	`AzureActivity`
Suspicious Resource deployment	Low	Impact	`AzureActivity`
Suspicious granting of permissions to an account	Medium	Persistence, PrivilegeEscalation	`AzureActivity` Internal use: `IdentityInfo`
Suspicious number of resource creation or deployment activities	Medium	Impact	`AzureActivity`

Hunting Queries

Name	Tactics	Tables Used
Anomalous Azure Operation Hunting Model	LateralMovement, CredentialAccess	`AzureActivity`
Azure Machine Learning Write Operations	InitialAccess, Execution, Impact	`AzureActivity`
Azure Network Security Group NSG Administrative Operations	Impact	`AzureActivity`
Azure VM Run Command executed from Azure IP address	LateralMovement, CredentialAccess	`AzureActivity`
Azure Virtual Network Subnets Administrative Operations	Impact	`AzureActivity`
Azure storage key enumeration	Discovery	`AzureActivity`
AzureActivity Administration From VPS Providers	InitialAccess	`AzureActivity`
Common deployed resources	Impact	`AzureActivity`
Creation of an anomalous number of resources	Impact	`AzureActivity`
Granting permissions to account	Persistence, PrivilegeEscalation	`AzureActivity`
Microsoft Sentinel Analytics Rules Administrative Operations	Impact	`AzureActivity`
Microsoft Sentinel Connectors Administrative Operations	Impact	`AzureActivity`
Microsoft Sentinel Workbooks Administrative Operations	Impact	`AzureActivity`
Port opened for an Azure Resource	CommandAndControl, Impact	`AzureActivity`
Rare Custom Script Extension	Execution	`AzureActivity`

Workbooks

Name	Tables Used
AzureActivity	`AzureActivity`
AzureServiceHealthWorkbook	`AzureActivity`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.4	25-02-2026	Updated description_detailed for the Rare_Custom_Script_Extension Hunting Query
3.0.3	19-02-2025	Added new Workbook Azure Service Health to the Solution and added new Hunting query Machine_Learning_Creation.yaml. Added new Analytic Rule Machine_Learning_Creation.yaml
3.0.2	21-02-2024	Modified Entity Mappings of Analytic Rules
3.0.1	23-01-2024	Added subTechniques in Template
3.0.0	06-11-2023	Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID. Optimized the Analytic Rule query logic to achieve expected results