Auditing

Application Audit Log records tenant, actor, action, target, optional provider/model, metadata, and timestamp for privileged/security-relevant operations. Additional durable records include approvals, task/workbook/playbook runs, notification deliveries, connector health, case timelines, and Evidence Locker digests.

Correlation model

Start with UTC time and actor, then correlate application object IDs with approval/tool-call IDs, Azure Activity Log correlation IDs, ticket/incident IDs, and destination delivery records. A successful application call may precede eventual external processing; a failed external call can still have a successful approval record.

Sensitive values should be redacted before audit storage, but administrators must still treat metadata as confidential. Restrict audit.read, control exports, and apply organizational retention/monitoring. Forwarding through connectors is not a guaranteed SIEM cursoring service unless separately implemented and verified.

Evidence

Use Evidence Locker for a point-in-time source bundle and Case Files for chronological decisions. SHA-256 verification detects unexpected evidence changes but does not establish who originally supplied every upstream Azure record.


Back to top

Azure Support Agent is open source under the MIT License.

This site uses Just the Docs, a documentation theme for Jekyll.