Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
Account/Subscription compromised not able to know how to track the criminel
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 19%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESE%3C/text%3E%3C/svg%3E)
Salam ELIAS
237
Reputation points
Recently, I discovered that one of the accounts (not sure which one, I have either SP or managed IDs as well as my main user which is the global admin in MFA state).
Somebody succeeded to create so many Vms, Vnetworks.....which I deleted which costed me the whole cost for the subscription for the october month. As spending limit was reached. the criminel was not able to create new resources until yesterday, he started back again when my subscription was renabled.
I craeted an alert to be notified whenever new resources are created on subscription level. I receive the alerts but a lot of details in the alert but we dont see which resource was created nor who created it.
So the main question is how can or track who is doing this
Azure Monitor
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 72%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Naveena Patlolla 6,780 Reputation points Microsoft External Staff Moderator2025-10-24T08:14:03.9533333+00:00 Hi Salam ELIAS
Azure Activity Log shows who initiated resource create/write operations (caller, callerIpAddress, operation, resourceId).
Reference link:
Please let me know if you face any challenge here, I can help you to resolve this issue further
If the comment was helpful, please click "Upvote"
-
Salam ELIAS 237 Reputation points
2025-10-24T11:10:59.1633333+00:00 "Azure Activity Log" shows....on which level. I checked on subscription level, there was nothing, there is no Caller IPaddr, resource ID
-
Naveena Patlolla 6,780 Reputation points Microsoft External Staff Moderator
2025-10-24T12:37:20.85+00:00 1)Check Azure AD sign-in logs: Go to Azure portal- Microsoft Entra ID ->Sign-in logs
2)After finding the user, Go to Subscription- IAM- select user and remove permissions https://free.blessedness.top/en-us/azure/role-based-access-control/role-assignments-remove#azure-portal
-
Salam ELIAS 237 Reputation points
2025-10-24T13:30:05.85+00:00 Ok, all lines contain the field "Username = myemail" I use to login, I see a field "Sign-In identifier", some lines contain my email, others are empty with the filed "Incoming token type_1" has the value of none. A lot of details there and not sure how should I interpret them
Sign in to comment
Sign in to answer