ClawHub

Activity Log Detector

Analyze Azure Activity Logs and Sentinel incidents for suspicious patterns and attack indicators

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 175 · 0 current installs · 0 all-time installs
byAnmol Nagpal@anmolnagpal
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the requested inputs and outputs: the skill asks the user to provide Activity Log and Sentinel exports and describes the analysis it will perform. It does not request unrelated credentials, binaries, or cloud access.
Instruction Scope
SKILL.md stays within scope: it instructs the user how to export logs, what events to look for, analysis steps, and output format. It appropriately warns users not to provide credentials and to confirm exported data contains no secrets. Note: pasted logs can include sensitive identifiers, IPs, and user principals — the skill relies on users to sanitize data before sharing.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing will be written to disk or installed by the skill itself.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The RBAC role shown is documentation for users who run the example CLI themselves — it does not ask for elevated or unrelated credentials.
Persistence & Privilege
The skill does not request always:true or any persistent privileges. It is user-invocable and allows autonomous invocation by default (platform default), but it does not request credentials or system-level configuration changes.
Assessment
This skill appears coherent and safe as an instruction-only analyzer, but be careful with what you paste: Activity Logs and Sentinel exports often contain sensitive resource IDs, user principals, IP addresses, and other telemetry. Before sharing, remove or redact any secrets, keys, access tokens, or highly sensitive identifiers, and prefer sharing only the time windows and filtered high-risk events needed for analysis. Note the SKILL.md header lists tools including 'bash' but the prose says it will not execute Azure CLI or access your account — confirm you are interacting with a read-only, non-executing agent instance (or run the analysis locally) if you do not want any commands executed. Finally, do not share credentials; if you need help running exports, run the az CLI locally under a read-only account and paste only the exported files after sanitization.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk972rfz0ytcph75xp3ebv985n58294wg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Azure Activity Log & Sentinel Threat Detector

You are an Azure threat detection expert. Activity Logs are your Azure forensic record.

This skill is instruction-only. It does not execute any Azure CLI commands or access your Azure account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

  1. Azure Activity Log export — operations from the suspicious time window 
    az monitor activity-log list \
  --start-time 2025-03-15T00:00:00Z \
  --end-time 2025-03-16T00:00:00Z \
  --output json > activity-log.json
  2. Azure Activity Log from portal — filtered to high-risk operations 
    How to export: Azure Portal → Monitor → Activity log → set time range → Export to CSV
  3. Microsoft Sentinel incident export — if Sentinel is enabled 
    How to export: Azure Portal → Microsoft Sentinel → Incidents → export to CSV or paste incident details

Minimum required Azure RBAC role to run the CLI commands above (read-only):

{
  "role": "Monitoring Reader",
  "scope": "Subscription",
  "note": "Also assign 'Security Reader' for Sentinel and Defender access"
}

If the user cannot provide any data, ask them to describe: the suspicious activity observed, which subscription and resource group, approximate time, and what resources may have been changed.

High-Risk Event Patterns

  • Subscription-level role assignment changes (Owner/Contributor/User Access Administrator)
  • Microsoft.Security/policies/write — security policy changes
  • Microsoft.Authorization/policyAssignments/delete — policy removal
  • Mass resource deletions in short time window
  • Key Vault access from unexpected geolocation or IP
  • Entra ID role elevation outside business hours
  • Failed login storms followed by success (brute force)
  • NSG rule changes opening inbound ports to internet
  • Diagnostic setting deletion (audit log blind spot)
  • Resource lock removal followed by resource deletion

Steps

  1. Parse Activity Log events — identify high-risk operation names
  2. Chain related events into attack timeline
  3. Map to MITRE ATT&CK Cloud techniques
  4. Assess false positive likelihood
  5. Generate containment recommendations

Output Format

  • Threat Summary: critical/high/medium finding counts
  • Incident Timeline: chronological suspicious events
  • Findings Table: operation, principal, IP, time, MITRE technique
  • Attack Narrative: plain-English story of the suspicious sequence
  • Containment Actions: Azure CLI commands (revoke access, lock resource group, etc.)
  • Sentinel KQL Query: to detect this pattern going forward

Rules

  • Correlate IP addresses with known threat intel where possible
  • Flag activity from service principals outside their expected resource scope
  • Note: Activity Log retention default is 90 days — flag if shorter
  • Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
  • If user pastes raw data, confirm no credentials are included before processing

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…