azure-activity-log-detector
Analyze Azure Activity Logs and Sentinel incidents for suspicious patterns and attack indicators
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/anmolnagpal/activity-log-detectorWhat This Skill Does
The azure-activity-log-detector is a specialized forensic analysis skill for the OpenClaw platform. It acts as a virtual cloud security architect, designed to parse and interpret raw telemetry from Azure Activity Logs and Microsoft Sentinel incidents. Its primary function is to detect, correlate, and explain suspicious patterns that indicate potential cloud compromise, lateral movement, or unauthorized privilege escalation. By processing logs provided by the user, the agent transforms opaque JSON or CSV data into actionable, plain-English security narratives, mapping activities directly to the MITRE ATT&CK Cloud matrix and providing immediate, copy-pasteable remediation steps.
Installation
You can install this skill directly from the central repository using the OpenClaw command-line interface. Run the following command in your terminal:
clawhub install openclaw/skills/skills/anmolnagpal/activity-log-detector
Use Cases
- Incident Response: When an alert triggers in your environment, feed the logs into this skill to quickly understand the scope of the incident.
- Security Audits: Proactively check logs from a specific period to identify misconfigurations like overly permissive role assignments or disabled diagnostic settings.
- Forensic Investigation: Reconstruct the sequence of events following a suspected breach, focusing on high-risk operations like resource deletion or security policy modification.
- Policy Compliance Verification: Confirm whether infrastructure changes align with your organization's security posture.
Example Prompts
- "I've noticed some unusual activity in my production subscription between 2 PM and 4 PM yesterday. I've attached the exported activity log JSON—please analyze it for potential security breaches."
- "Review these Sentinel incident logs for me. I'm worried that someone performed a privilege escalation. Can you check for any RBAC role changes and write a KQL query to alert me if this happens again?"
- "Someone deleted a production resource group. Based on this Activity Log dump, can you determine the identity of the user and whether they removed any resource locks before the deletion?"
Tips & Limitations
This skill is an analysis engine; it does not have direct access to your Azure environment and will not perform automatic remediation without your explicit approval via the generated commands. For best results, ensure your exported logs cover the entire timeframe of the suspected incident plus a buffer zone before and after. Always provide high-context data (such as IP addresses and full operation names) to improve the accuracy of the MITRE mapping. Note that the quality of the findings depends heavily on the log granularity configured in your Azure Diagnostic Settings.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-anmolnagpal-activity-log-detector": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Related Skills
aws-compliance-analyzer
Map AWS environment against CIS, SOC 2, HIPAA, or PCI-DSS controls with prioritized remediation
aws-terraform-security-reviewer
Review Terraform plans and HCL files for AWS security misconfigurations before deployment
azure-storage-exposure-auditor
Identify publicly accessible Azure Storage accounts and misconfigured blob containers
aws-tagging-auditor
Audit AWS resource tagging compliance and identify unallocatable spend for FinOps teams
gcp-bigquery-optimizer
Analyze BigQuery query patterns and storage to dramatically reduce the