← Back to Skills Marketplace
Activity Log Detector
by
Anmol Nagpal
· GitHub ↗
· v1.0.0
326
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install activity-log-detector
Description
Analyze Azure Activity Logs and Sentinel incidents for suspicious patterns and attack indicators
README (SKILL.md)
Azure Activity Log & Sentinel Threat Detector
You are an Azure threat detection expert. Activity Logs are your Azure forensic record.
This skill is instruction-only. It does not execute any Azure CLI commands or access your Azure account directly. You provide the data; Claude analyzes it.
Required Inputs
Ask the user to provide one or more of the following (the more provided, the better the analysis):
- Azure Activity Log export — operations from the suspicious time window
az monitor activity-log list \ --start-time 2025-03-15T00:00:00Z \ --end-time 2025-03-16T00:00:00Z \ --output json > activity-log.json - Azure Activity Log from portal — filtered to high-risk operations
How to export: Azure Portal → Monitor → Activity log → set time range → Export to CSV - Microsoft Sentinel incident export — if Sentinel is enabled
How to export: Azure Portal → Microsoft Sentinel → Incidents → export to CSV or paste incident details
Minimum required Azure RBAC role to run the CLI commands above (read-only):
{
"role": "Monitoring Reader",
"scope": "Subscription",
"note": "Also assign 'Security Reader' for Sentinel and Defender access"
}
If the user cannot provide any data, ask them to describe: the suspicious activity observed, which subscription and resource group, approximate time, and what resources may have been changed.
High-Risk Event Patterns
- Subscription-level role assignment changes (Owner/Contributor/User Access Administrator)
Microsoft.Security/policies/write— security policy changesMicrosoft.Authorization/policyAssignments/delete— policy removal- Mass resource deletions in short time window
- Key Vault access from unexpected geolocation or IP
- Entra ID role elevation outside business hours
- Failed login storms followed by success (brute force)
- NSG rule changes opening inbound ports to internet
- Diagnostic setting deletion (audit log blind spot)
- Resource lock removal followed by resource deletion
Steps
- Parse Activity Log events — identify high-risk operation names
- Chain related events into attack timeline
- Map to MITRE ATT&CK Cloud techniques
- Assess false positive likelihood
- Generate containment recommendations
Output Format
- Threat Summary: critical/high/medium finding counts
- Incident Timeline: chronological suspicious events
- Findings Table: operation, principal, IP, time, MITRE technique
- Attack Narrative: plain-English story of the suspicious sequence
- Containment Actions: Azure CLI commands (revoke access, lock resource group, etc.)
- Sentinel KQL Query: to detect this pattern going forward
Rules
- Correlate IP addresses with known threat intel where possible
- Flag activity from service principals outside their expected resource scope
- Note: Activity Log retention default is 90 days — flag if shorter
- Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
- If user pastes raw data, confirm no credentials are included before processing
Usage Guidance
This skill appears coherent and safe as an instruction-only analyzer, but be careful with what you paste: Activity Logs and Sentinel exports often contain sensitive resource IDs, user principals, IP addresses, and other telemetry. Before sharing, remove or redact any secrets, keys, access tokens, or highly sensitive identifiers, and prefer sharing only the time windows and filtered high-risk events needed for analysis. Note the SKILL.md header lists tools including 'bash' but the prose says it will not execute Azure CLI or access your account — confirm you are interacting with a read-only, non-executing agent instance (or run the analysis locally) if you do not want any commands executed. Finally, do not share credentials; if you need help running exports, run the az CLI locally under a read-only account and paste only the exported files after sanitization.
Capability Analysis
Type: OpenClaw Skill
Name: activity-log-detector
Version: 1.0.0
The skill is designed for Azure activity log analysis, explicitly stating it's 'instruction-only' and 'does not execute any Azure CLI commands or access your Azure account directly.' It also contains strong instructions to the AI agent to 'Never ask for credentials, access keys, or secret keys.' While it declares `bash` as a tool and instructs the agent to generate Azure CLI commands for containment recommendations, these are within the scope of a legitimate security analysis task and are not instructed to be executed by the agent or used for malicious purposes. There is no evidence of intentional harmful behavior, data exfiltration, or backdoor attempts.
Capability Assessment
Purpose & Capability
Name/description match the requested inputs and outputs: the skill asks the user to provide Activity Log and Sentinel exports and describes the analysis it will perform. It does not request unrelated credentials, binaries, or cloud access.
Instruction Scope
SKILL.md stays within scope: it instructs the user how to export logs, what events to look for, analysis steps, and output format. It appropriately warns users not to provide credentials and to confirm exported data contains no secrets. Note: pasted logs can include sensitive identifiers, IPs, and user principals — the skill relies on users to sanitize data before sharing.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing will be written to disk or installed by the skill itself.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The RBAC role shown is documentation for users who run the example CLI themselves — it does not ask for elevated or unrelated credentials.
Persistence & Privilege
The skill does not request always:true or any persistent privileges. It is user-invocable and allows autonomous invocation by default (platform default), but it does not request credentials or system-level configuration changes.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install activity-log-detector - After installation, invoke the skill by name or use
/activity-log-detector - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Azure Activity Log & Sentinel Threat Detector.
- Analyze exported Azure Activity Logs and Sentinel incidents for suspicious operations and attack patterns.
- Guide users on how to export required data securely, with no credentials needed.
- Detect and summarize high-risk events: role changes, policy deletions, failed logins, resource tampering, and more.
- Output includes threat summaries, incident timeline, MITRE mappings, KQL detection queries, and remediation guidance.
- All analysis is instruction-only—no direct Azure or CLI access; user data privacy emphasized.
Metadata
Frequently Asked Questions
What is Activity Log Detector?
Analyze Azure Activity Logs and Sentinel incidents for suspicious patterns and attack indicators. It is an AI Agent Skill for Claude Code / OpenClaw, with 326 downloads so far.
How do I install Activity Log Detector?
Run "/install activity-log-detector" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Activity Log Detector free?
Yes, Activity Log Detector is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Activity Log Detector support?
Activity Log Detector is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Activity Log Detector?
It is built and maintained by Anmol Nagpal (@anmolnagpal); the current version is v1.0.0.
More Skills