-
Notifications
You must be signed in to change notification settings - Fork 0
Snapshots Disks
snapshots-disks is the disk-first triage command for offline-copy, export, and recovery-adjacent
compute paths.
Use it when the best follow-up target may be a disk or snapshot behind a workload instead of the live VM itself.
- Which disk-backed assets matter first?
- Which disk or snapshot looks easiest to review, copy, or prioritize without starting from the live VM?
- Which offline path should change what you inspect next?
azurefox snapshots-disks --output tableFor saved structured output:
azurefox snapshots-disks --output json| asset | kind | priority | attachment / source | sharing / export | encryption |
|---|---|---|---|---|---|
data-detached-legacy |
disk |
detached, public-net, allow-all, shared=3, disk-access |
detached |
policy=AllowAll; public=Enabled; max-shares=3; disk-access=yes |
type=EncryptionAtRestWithPlatformKey; des=no; size=512g |
data-detached-legacy-snap |
snapshot |
offline-copy, public-net, allow-all, disk-access |
source=data-detached-legacy; incremental=yes |
policy=AllowAll; public=Enabled; disk-access=yes |
type=EncryptionAtRestWithPlatformKey; des=no; size=512g |
vm-web-01-os-snap |
snapshot |
offline-copy |
source=vm-web-01-os; incremental=yes |
policy=AllowPrivate; public=Disabled |
type=EncryptionAtRestWithCustomerKey; des=yes; os=Linux; size=128g |
- when detached disks, snapshots, or export posture may reveal a cleaner path than interacting with the live VM
- when you need a disk-first view of compute assets instead of a host-first view
- when sharing, export, or encryption cues make one offline path stand out
- detached disks before routine attached disks
- snapshots or other offline-copy paths
-
public_network_access=Enabledwithnetwork_access_policy=AllowAll - source workload context that makes one disk-backed path more consequential
Disk and snapshot posture can change what kind of follow-up is possible.
A detached disk may preserve useful workload state outside the running VM. A snapshot can preserve
a point-in-time copy that is easier to review than a live host. snapshots-disks helps you find
those offline paths early without crossing into data access or recovery workflows.
- detached disks before routine attached disks
- snapshots and other offline-copy paths near the top when they combine with broader sharing or export posture
- permissive access or weaker encryption cues ahead of quieter baseline posture
- clear workload context when the disk-backed path ties to a high-value VM
- If you see a detached disk or snapshot with
public_network_access=Enabledandnetwork_access_policy=AllowAll, go next to Permissions because it shows which principals are most likely to control or extend that disk-backed access path. - If you see a snapshot or disk tied to a high-value VM, go next to VMs because it shows the live compute context behind that offline-copy target.
- If the source workload also looks reachable, go next to Network-Effective because it helps decide whether the live host or the disk path is the better first stop.
- Start with the disk-backed assets that are easiest to review or reuse without touching the live workload first.
- Treat offline-copy paths as part of the compute story, not just storage detail.
- Use the disk, VM, and network cues together to decide whether the better next step is host, identity, or access-path review.
snapshots-disks is a management-plane disk triage command.
It should rank the disk-backed assets that most deserve follow-up first. It is not restore workflow, SAS creation, mounting, content retrieval, or guest-level analysis.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Grouped Sweeps
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to AzureFox: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)