← 返回 Skills 市场

Activity Log Detector

Name: Activity Log Detector
Author: anmolnagpal

作者 Anmol Nagpal · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

326

总下载

当前安装

版本数

在 OpenClaw 中安装

/install activity-log-detector

功能描述

Analyze Azure Activity Logs and Sentinel incidents for suspicious patterns and attack indicators

使用说明 (SKILL.md)

Azure Activity Log & Sentinel Threat Detector

You are an Azure threat detection expert. Activity Logs are your Azure forensic record.

This skill is instruction-only. It does not execute any Azure CLI commands or access your Azure account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

Azure Activity Log export — operations from the suspicious time window

az monitor activity-log list \
  --start-time 2025-03-15T00:00:00Z \
  --end-time 2025-03-16T00:00:00Z \
  --output json > activity-log.json

Azure Activity Log from portal — filtered to high-risk operations

How to export: Azure Portal → Monitor → Activity log → set time range → Export to CSV

Microsoft Sentinel incident export — if Sentinel is enabled

How to export: Azure Portal → Microsoft Sentinel → Incidents → export to CSV or paste incident details

Minimum required Azure RBAC role to run the CLI commands above (read-only):

{
  "role": "Monitoring Reader",
  "scope": "Subscription",
  "note": "Also assign 'Security Reader' for Sentinel and Defender access"
}

If the user cannot provide any data, ask them to describe: the suspicious activity observed, which subscription and resource group, approximate time, and what resources may have been changed.

High-Risk Event Patterns

Subscription-level role assignment changes (Owner/Contributor/User Access Administrator)
Microsoft.Security/policies/write — security policy changes
Microsoft.Authorization/policyAssignments/delete — policy removal
Mass resource deletions in short time window
Key Vault access from unexpected geolocation or IP
Entra ID role elevation outside business hours
Failed login storms followed by success (brute force)
NSG rule changes opening inbound ports to internet
Diagnostic setting deletion (audit log blind spot)
Resource lock removal followed by resource deletion

Steps

Parse Activity Log events — identify high-risk operation names
Chain related events into attack timeline
Map to MITRE ATT&CK Cloud techniques
Assess false positive likelihood
Generate containment recommendations

Output Format

Threat Summary: critical/high/medium finding counts
Incident Timeline: chronological suspicious events
Findings Table: operation, principal, IP, time, MITRE technique
Attack Narrative: plain-English story of the suspicious sequence
Containment Actions: Azure CLI commands (revoke access, lock resource group, etc.)
Sentinel KQL Query: to detect this pattern going forward

Rules

Correlate IP addresses with known threat intel where possible
Flag activity from service principals outside their expected resource scope
Note: Activity Log retention default is 90 days — flag if shorter
Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
If user pastes raw data, confirm no credentials are included before processing

安全使用建议

This skill appears coherent and safe as an instruction-only analyzer, but be careful with what you paste: Activity Logs and Sentinel exports often contain sensitive resource IDs, user principals, IP addresses, and other telemetry. Before sharing, remove or redact any secrets, keys, access tokens, or highly sensitive identifiers, and prefer sharing only the time windows and filtered high-risk events needed for analysis. Note the SKILL.md header lists tools including 'bash' but the prose says it will not execute Azure CLI or access your account — confirm you are interacting with a read-only, non-executing agent instance (or run the analysis locally) if you do not want any commands executed. Finally, do not share credentials; if you need help running exports, run the az CLI locally under a read-only account and paste only the exported files after sanitization.

功能分析

Type: OpenClaw Skill Name: activity-log-detector Version: 1.0.0 The skill is designed for Azure activity log analysis, explicitly stating it's 'instruction-only' and 'does not execute any Azure CLI commands or access your Azure account directly.' It also contains strong instructions to the AI agent to 'Never ask for credentials, access keys, or secret keys.' While it declares `bash` as a tool and instructs the agent to generate Azure CLI commands for containment recommendations, these are within the scope of a legitimate security analysis task and are not instructed to be executed by the agent or used for malicious purposes. There is no evidence of intentional harmful behavior, data exfiltration, or backdoor attempts.

能力评估

✓ Purpose & Capability

Name/description match the requested inputs and outputs: the skill asks the user to provide Activity Log and Sentinel exports and describes the analysis it will perform. It does not request unrelated credentials, binaries, or cloud access.

ℹ Instruction Scope

SKILL.md stays within scope: it instructs the user how to export logs, what events to look for, analysis steps, and output format. It appropriately warns users not to provide credentials and to confirm exported data contains no secrets. Note: pasted logs can include sensitive identifiers, IPs, and user principals — the skill relies on users to sanitize data before sharing.

✓ Install Mechanism

Instruction-only skill with no install spec and no code files. Nothing will be written to disk or installed by the skill itself.

✓ Credentials

The skill declares no required environment variables, no primary credential, and no config paths. The RBAC role shown is documentation for users who run the example CLI themselves — it does not ask for elevated or unrelated credentials.

✓ Persistence & Privilege

The skill does not request always:true or any persistent privileges. It is user-invocable and allows autonomous invocation by default (platform default), but it does not request credentials or system-level configuration changes.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install activity-log-detector
安装完成后，直接呼叫该 Skill 的名称或使用 /activity-log-detector 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of Azure Activity Log & Sentinel Threat Detector. - Analyze exported Azure Activity Logs and Sentinel incidents for suspicious operations and attack patterns. - Guide users on how to export required data securely, with no credentials needed. - Detect and summarize high-risk events: role changes, policy deletions, failed logins, resource tampering, and more. - Output includes threat summaries, incident timeline, MITRE mappings, KQL detection queries, and remediation guidance. - All analysis is instruction-only—no direct Azure or CLI access; user data privacy emphasized.

元数据

Slug activity-log-detector

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题