Azure Monitor log analytics sample queries.

Azure Monitor resource logs are logs emitted by Azure services that describe the operation of those services or resources. When exported to a Log Analytics workspace the logs are stored in tables. This set of articles contains sample queries to retrieve data from the log analytics tables. The queries are also available in the Log Analytics workspace.

Sample queries by table

AACAudit

• Most recent delete key-value operations
• Most recent client error

AACHttpRequest

• Throttled Requests
• Most common server errors
• Most Active Clients by IP Address

AADCustomSecurityAttributeAuditLogs

• User's custom security attribute audits

AADDomainServicesAccountLogon

• Show logs from AADDomainServicesAccountLogon table

AADDomainServicesAccountManagement

• Show logs from AADDomainServicesAccountManagement table

AADDomainServicesDirectoryServiceAccess

• Show logs from AADDomainServicesDirectoryServiceAccess table

AADDomainServicesLogonLogoff

• Show logs from AADDomainServicesLogonLogoff table

AADDomainServicesPolicyChange

• Show logs from AADDomainServicesPolicyChange table

AADDomainServicesPrivilegeUse

• Show logs from AADDomainServicesPrivilegeUse table

AADManagedIdentitySignInLogs

• Most active managed identities

AADNonInteractiveUserSignInLogs

• Users with multiple cities
• Most active ip addresses

AADProvisioningLogs

• Provisioning actions for the last week
• Provisioning errors
• Provisioned objects by day

AADRiskyUsers

• High risk users

AADServicePrincipalRiskEvents

• Active service principal risk detections

AADServicePrincipalSignInLogs

• Most active service principals
• Inactive service principals

AADUserRiskEvents

• Recent user risk events
• Active user risk detections

ABAPAuditLog

• ABAP audit log multiple IP logons
• ABAP audit log file downloads

ABSBotRequests

• Clients To Direct Line Channel
• Bot To Channels
• Channels To Bot
• Requests From Facebook To Azure Bot Service
• Requests From Azure Bot Service To Facebook API
• Activities Sent from Clients to Direct Line
• Direct Line Channel Logs
• Failed Requests
• Direct Line Channel Response Codes Line Chart
• Requests Duration Line Chart
• Response Codes Line Chart
• Response Codes PieChart
• Request Operations PieChart

ACICollaborationAudit

• How many times a resource was granted grants per pipeline run?
• What entitlements was granted to my resource?
• What resources was granted accessed by an entitlement?
• Which participants was granted accessed to my resource?

ACRConnectedClientList

• Unique Redis client IP addresses
• Redis client connections per hour

ACREntraAuthenticationAuditLog

• Microsoft Entra authentication audit log

ACSAdvancedMessagingOperations

• Advanced Messaging operations
• Advanced Messaging operation duration percentiles
• Advanced Messaging top 5 IP addresses per operation
• Advanced Messaging operational errors
• Advanced Messaging operation result counts
• Advanced Messaging channel activity
• Advanced Messaging message status count

ACSAuthIncomingOperations

• List distinct auth operations
• Calculate auth operation duration percentiles
• Top 5 IP addresses per auth operation
• Auth operational errors
• Auth operation result counts

ACSBillingUsage

• Get long calls
• Usage breakdown
• Record count breakdown
• Participant Phone Numbers

ACSCallAutomationIncomingOperations

• Call Automation operations
• Calculate Call Automation operation duration percentiles
• Top 5 IP addresses per Call Automation operation
• Call Automation operational errors
• Call Automation operation result counts
• Call Automation logs for call connection ID
• Call Automation API operations on a call
• CallDiagnostics log for CallAutomation API call
• CallSummary log for CallAutomation API call

ACSCallAutomationMediaSummary

• Loop play success rate
• Play to participant success rate
• Recognize success rate
• Success rate by sub operation name

ACSCallClientMediaStatsTimeSeries

• Metrics per each media type
• Metric histogram per media type and direction

ACSCallClientOperations

• Count client operations by type
• Outgoing call failure reasons
• Search calls by keyword
• Search all user facing diagnostics in a call
• Search all participants in a call
• Search all client operations in a call

ACSCallDiagnostics

• Streams per call
• Streams per call histogram
• Media type ratio
• Transport type ratio
• Average telemetry values
• Jitter average histogram
• Jitter max histogram
• Packet loss rate average histogram
• Packet loss rate max histogram
• Round trip time average histogram
• Round trip time max histogram
• Jitter quality ratio
• Packet loss rate quality ratio
• Round trip time quality ratio
• CallDiagnostics log for CallAutomation API call
• Search calls by keyword
• Search all participants in a call

ACSCallRecordingIncomingOperations

• Call Recording operations
• Calculate Call Recording operation duration percentiles
• Top 5 IP addresses per Call Recording operation
• Call Recording operational errors
• Call Recording operation result counts
• Call Recording logs by ID

ACSCallRecordingSummary

• Call Recording duration histogram
• Call Recording duration percentiles
• Call Recording's end reason ratio
• Daily Call Recordings
• Hourly Call Recordings
• Call Recording's mode ratio

ACSCallSummary

• Participants per call
• Participant Phone Numbers
• Participants per group call
• Call type ratio
• Call duration histogram
• Call duration percentiles
• Daily calls
• Hourly calls
• Endpoints per call
• SDK version ratio
• OS version ratio
• CallSummary log for CallAutomation API call
• Search calls by keyword
• Search all participants in a call
• Search all client operations in a call

ACSCallSummaryUpdates

• Call duration percentiles

ACSCallSurvey

• Overall call rating
• Audio rating
• Video rating
• Screenshare rating
• Overall call issues
• Audio issues
• Video issues
• Screenshare issues
• Search calls by keyword
• Search all participants in a call

ACSChatIncomingOperations

• Chat operations
• Calculate chat operation duration percentiles
• Top 5 IP addresses per chat operation
• Chat operational errors
• Chat operation result counts

ACSEmailSendMailOperational

• Email Send Request Summary

ACSEmailStatusUpdateOperational

• Email failed deliveries by recipient ID
• Email Failed Deliveries by Message Id
• Email Bounced and Suppressed Recipients

ACSJobRouterIncomingOperations

• Job Router operations
• Calculate Job Router operation duration percentiles
• Top 5 IP addresses per Job Router operation
• Job Router operational errors
• Job Router operation result counts

ACSRoomsIncomingOperations

• Rooms operational errors
• Rooms operation result counts
• Rooms operation summary

ACSSMSIncomingOperations

• List distinct SMS operations
• Calculate SMS operation duration percentiles
• Top 5 IP addresses per SMS operation
• SMS operational errors
• SMS operation result counts

ADAssessmentRecommendation

• AD Recommendations by Focus Area
• AD Recommendations by Computer
• AD Recommendations by Forest
• AD Recommendations by Domain
• AD Recommendations by DomainController
• AD Recommendations by AffectedObjectType
• How many times did each unique AD Recommendation trigger?
• High priority AD Assessment security recommendations

ADFActivityRun

• Activity Runs Availability
• Activity runs latest Status

ADFPipelineRun

• PipelineRuns Availability
• Pipeline runs latest Status

ADFSSignInLogs

• Top ADFS account lockouts

ADFTriggerRun

• TriggerRuns Availability
• Trigger runs latest Status

ADTDataHistoryOperation

• Data History operation failure logs
• Data History egress latency

ADTDigitalTwinsOperation

• DigitalTwin Error Summary
• DigitalTwin API Usage

ADTEventRoutesOperation

• EventRoutes API Usage

ADTModelsOperation

• Model Error Summary
• Model API Usage

ADTQueryOperation

• Query Error Summary

ADXIngestionBatching

• Ingestion batching size
• Ingestion batching summary
• Ingestion batching duration timechart

ADXTableUsageStatistics

• Table usage by number of queries
• Table usage by application
• Table data scanned - top time windows
• Table data scanned - top tables

AEWComputePipelinesLogs

• AEWComputePipelinesLogs get daily tasks count
• AEWComputePipelinesLogs get failed tasks detail
• AEWComputePipelinesLogs get long running jobs
• AEWComputePipelinesLogs get task E2E latency time

AEWExperimentAssignmentSummary

• Variant assignment counts by features
• Latest scorecard metadata for a given feature
• Latest scorecard results for a given feature

AEWExperimentScorecardMetricPairs

• Latest scorecard results for a given feature

AEWExperimentScorecards

• Latest scorecard metadata for a given feature
• Latest scorecard results for a given feature

AFSAuditLogs

• Aggregate operations query
• Unauthorized requests query

AGCAccessLogs

• Client requests per hour
• 5xx HTTP responses per hour
• 4xx HTTP responses per hour

AGSGrafanaLoginEvents

• Show login error events

AHDSDicomAuditLogs

• DICOM privileged operations

AHDSDicomDiagnosticLogs

• Log count per log starting with Dicom100 error code and CorrelationId

AHDSMedTechDiagnosticLogs

• Most recent actionable MedTech logs
• Log count per MedTech log or exception type
• MedTech healthcheck exceptions
• MedTech normalization stage logs
• MedTech FHIR conversion stage logs

AKSAudit

• Volume of Kubernetes audit events per SourceIp

AKSAuditAdmin

• Volume of admin Kubernetes audit events per username
• Admin Kubernetes audit events for deployment

AKSControlPlane

• Cluster Autoscaler logs
• Kubernetes API server logs

ALBHealthEvent

• Latest Snat Port Exhaustion Per LB Frontend

AMSKeyDeliveryRequests

• Key delivery successful request count by key type
• Key delivery failed requests
• Key delivery requests latency at 95 and 99 percentiles

AMSLiveEventOperations

• Live event ingest discontinuity operation count
• Live event error operations

AMSMediaAccountHealth

• Media account health events

AMSStreamingEndpointRequests

• Streaming endpoint successful request count by client IP
• Streaming endpoint informational requests

AOIDatabaseQuery

• Queries executed by a user on dataproduct

AOIDigestion

• Row digestion errors
• Failed file digestion by source

AOIStorage

• Ingestion operation on storage
• Delete operation on storage
• Read operation on storage
• Read operation on input storage

ASCDeviceEvents

• Azure Sphere device authentication and attestation failures
• Azure Sphere device events timeline
• Azure Sphere device heartbeat events timechart
• Azure Sphere devices not updated to latest OS
• Azure Sphere device telemetry events summary

ASRJobs

• Get all test failover jobs run

ASRReplicatedItems

• Get replication health status history

ASimDnsActivityLogs

• Count DNS failures for a source by source and type
• Identify excessive query for a nonexistent domain by a source

AVNMConnectivityConfigurationChange

• Recent connectivity configuration changes
• Recent failed connectivity configuration changes

AVNMIPAMPoolAllocationChange

• AVNM IPAM pool allocation changes
• Failed AVNM IPAM pool allocation changes

AVNMNetworkGroupMembershipChange

• Get recent Network Group Membership changes
• Failed Network Group Membership Changes

AVNMRuleCollectionChange

• Get recent security admin rule collection changes
• Get recent failed security admin rule collection changes

AVSSyslog

• Get DNS failures
• Get distributed Firewall logs
• Get audit events for VM created
• Get audit events for VM deleted
• Get audit events for VM powered on
• Get audit events for VM disconnected
• Get audit events for VM rebooted
• Get audit events for VM migrated
• Get audit events for host added
• Get audit events for host shutdown
• Get audit events for host enter maintenance mode
• Get audit events for host exit maintenance mode
• Get audit events for host connected
• Get audit events for host connection lost
• Get audit events for cluster
• Get audit events count for NSX
• Get audit events count for vCenter
• Get audit events for role added
• Get AVS events with severity of Info

AWSCloudTrail

• New users per region
• All AWS CloudTrail events
• AWSCT for user
• AWS console sign in

AWSGuardDuty

• High severity findings

AWSVPCFlow

• Rejected IPv4 actions

AZFWApplicationRule

• Application rule logs
• All firewall decisions

AZFWDnsQuery

• DNS proxy logs

AZFWFatFlow

• Azure Firewall Top Flow Logs

AZFWFlowTrace

• Azure Firewall flow trace logs

AZFWIdpsSignature

• IDPS event logs
• All firewall decisions

AZFWInternalFqdnResolutionFailure

• Internal FQDN resolution failures

AZFWNatRule

• DNAT rule logs
• All firewall decisions

AZFWNetworkRule

• Network rule logs
• All firewall decisions

AZFWThreatIntel

• Threat intelligence logs
• All firewall decisions

AZKVAuditLogs

• Are there any failures?
• Are there any slow requests?
• How active has this KeyVault been?
• How fast is this KeyVault serving requests?
• What changes occurred last month?
• Who is calling this KeyVault?

AZMSDiagnosticErrorLogs

• Publish detailed error logs
• Publish detailed error logs

AZMSHybridConnectionsEvents

• Publish HTTP send data for hybrid connection

AZMSOperationalLogs

• Publish success data for topics
• Publish failures for subscription
• Publish failures for namespace
• Publish success data for topics
• Publish failures for Topics
• Publish failures for subscription
• Publish failures for namespace

AZMSRunTimeAuditLogs

• Publish successful connection for AMQP protocol
• Publish failed AAD logs
• Publish failed SAS logs
• Publish failure for send message
• Publish failure for Namespace
• [Classic] Errors in the last 7 days
• Publish successful connection for AMQP protocol
• Publish failures for send message
• Publish failure for namespace
• Publish failed AAD logs
• Publish failed SAS logs

AZMSVnetConnectionEvents

• Publish deny connection by namespace
• Publish namespace vnet data
• Publish deny connection by namespace
• Publish virtual network events by namespace
• Publish deny connection by namespace
• Publish virtual network events by namespace

AddonAzureBackupJobs

• Distribution of Backup Jobs by Status
• Distribution of Restore Jobs by Status
• All Successful Jobs
• All Failed Jobs

AddonAzureBackupStorage

• Trend of total Cloud Storage consumed

AegDataPlaneRequests

• Unique unauthorized or forbidden client IP addresses

AegDeliveryFailureLogs

• Delivery failures by topic and error
• Delivery failures by topic and error
• Delivery failures by domain and error
• Topics Average Delivery Latency
• Domains Average Delivery Latency

AegPublishFailureLogs

• Publish failures by topic and error
• Publish failures by topic and error
• Publish failures by domain and error

AggregatedSecurityAlert

• Group Aggregated Security Alerts by Sector

AgriFoodApplicationAuditLogs

• Failed authorization

AgriFoodFarmManagementLogs

• Status of farm management operations for a farmer
• Status of all operations for a farmer
• Usage trend for top 100 farmers based on the operations performed

AgriFoodJobProcessedLogs

• Job execution statistics for a farmer

AlertEvidence

• Alerts involving a user

AlertInfo

• Alerts by MITRE ATT&CK technique

AmlComputeClusterEvent

• Get cluster events for clusters for specific VM size
• Get number of running nodes
• Graph of Running and Idle Node instances

AmlComputeCpuGpuUtilization

• Plot compute cluster utilization

AmlComputeJobEvent

• Get failed jobs
• Get records for a job
• Display top 5 longest job runs

AmlDataSetEvent

• Count datasets reads

AmlEnvironmentEvent

• Request the history of accessing environment

AmlModelsEvent

• Found users who accessed models

AmlOnlineEndpointConsoleLog

• Online endpoint console logs

AmlOnlineEndpointEventLog

• Online endpoint failure events

AmlOnlineEndpointTrafficLog

• Online endpoint failed requests

AmlRegistryWriteEventsLog

• All WRITE events

Anomalies

• Get Production Anomalies (last day)
• Get Flighting Anomalies (last day)

ApiManagementGatewayLogs

• Number of requests
• Logs of the last 100 calls
• Number of calls by APIs
• Bandwidth consumed
• Request sizes
• Response sizes
• Client TLS versions
• Error reasons breakdown
• Last 100 failed requests
• Get failed requests due to issues related to the backend
• Get failed requests due to issues not related to the backend
• Overall latency
• Backend latency
• Client latency
• Cache hit ratio

AppDependencies

• Failing dependencies

AppEnvSpringAppConsoleLogs

• Latest Container App first party Spring App errors

AppExceptions

• Top 3 browser exceptions

AppPageViews

• Page views trend
• Slowest pages

AppPlatformLogsforSpring

• Show the application logs which contain the "error" or "exception" terms
• Show the error and exception number of each application

AppPlatformSystemLogs

• Show the config server logs
• Show the service registry logs
• Show the Spring Cloud Gateway logs
• Show the API portal logs
• Show the Application Configuration Service logs
• Show the Spring Cloud Gateway operator logs

AppRequests

• Response time trend
• Request count trend
• Response time buckets
• Operations performance
• Top 10 countries by traffic
• Failed requests – top 10
• Failed operations
• Exceptions causing request failures

AppServiceAppLogs

• Count app logs by severity
• App logs for each App Service

AppServiceAuditLogs

• Audit Logs relating to unexpected users

AppServiceAuthenticationLogs

• Most recent errors from App Service Authentication
• Most recent warnings from App Service Authentication
• Top 100 most frequent errors and warnings from App Service Authentication

AppServiceConsoleLogs

• Find console logs relating to application startup

AppServiceFileAuditLogs

• File Audit Logs relating to a "Delete" operation

AppServiceHTTPLogs

• App Service Health
• Failure Categorization
• Response times of requests
• Top 5 Clients
• Top 5 Machines

AutoscaleEvaluationsLog

• Review Autoscale evaluations

AutoscaleScaleActionsLog

• Display top Autoscale 50 logs
• Autoscale operation status
• Autoscale failed operations

AzureActivity

• [Classic] Find In AzureActivity
• Shut down Virtual Machines
• Latest 50 logs
• Operations' status
• Recent Azure Activity logs
• Failed operations
• Resources creation
• Find In AzureActivity
• Show logs from AzureActivity table
• Show logs from AzureActivity table
• Display top 50 Activity log events
• Display Activity log Administrative events
• VM creation
• Display Activity log events generated from Policy
• List callers and their associated action in last 48 hours
• All Azure Activity
• Azure Activity for user
• Successful key enumaration
• Network Access JIT initiation
• Azure Activity operation statistics

AzureAttestationDiagnostics

• Are there any authorization failures?
• Are there any slow requests?
• How active has this Attestation provider been?
• Who is calling this attestation provider?
• Have there been any changes to attestation policy?
• Have there been any errors attempting to configure the attestation policy?

AzureBackupOperations

• Get all backup operations

AzureDiagnostics

• Errors in automation jobs
• Find logs reporting errors in automation jobs from the last day
• Azure Automation jobs that are failed, suspended, or stopped
• Runbook completed successfully with errors
• View historical job status
• Azure Automation jobs that are Completed
• Successful tasks per job
• Failed tasks per job
• Task durations
• Pool resizes
• Pool resize failures
• [Microsoft CDN (classic)] Requests per hour
• [Microsoft CDN (classic)] Traffic by URL
• [Microsoft CDN (classic)] 4XX error rate by URL
• [Microsoft CDN (classic)] Request errors by user agent
• [Microsoft CDN (classic)] Top 10 URL request count
• [Microsoft CDN (classic)] Unique IP request count
• [Microsoft CDN (classic)] Top 10 client IPs and HTTP versions
• [Azure Front Door Standard/Premium] Top 20 blocked clients by IP and rule
• [Azure Front Door Standard/Premium] Requests to origin by route
• [Azure Front Door Standard/Premium] Request errors by user agent
• [Azure Front Door Standard/Premium] Top 10 client IPs and http versions
• [Azure Front Door Standard/Premium] Request errors by host and path
• [Azure Front Door Standard/Premium] Firewall blocked request count per hour
• [Azure Front Door Standard/Premium] Firewall request count by host, path, rule, and action
• [Azure Front Door Standard/Premium] Requests per hour
• [Azure Front Door Standard/Premium] Top 10 URL request count
• [Azure Front Door Standard/Premium] Top 10 URL request count
• [Azure Front Door Standard/Premium] Unique IP request count
• Find In AzureDiagnostics
• Execution time exceeding a threshold
• Show the Slowest queries
• Show Query's statistics
• Review audit log events in GENERAL class
• Review audit log events in CONNECTION class
• Execution time exceeding a threshold
• Show the Slowest queries
• Show Query's statistics
• Review audit log events in GENERAL class
• Review audit log events in CONNECTION class
• Autovacuum events
• Server restarts
• Find Errors
• Unauthorized connections
• Deadlocks
• Lock contention
• Audit logs
• Audit logs for table(s) and event type(s)
• Queries with execution time exceeding a threshold
• Slowest queries
• Query statistics
• Execution count trends
• Top wait events
• Wait event trends
• Connectvity errors
• Devices with most throttling errors
• Dead endpoints
• Error summary
• Recently connected devices
• SDK version of devices
• Consumed RU/s in last 24 hours
• Collections with throttles (429) in past 24 hours
• Top operations by consumed Request Units (RUs) in last 24 hours
• Top logical partition keys by storage
• [Classic] Duration of Capture failure
• [Classic] Join request for client
• [Classic] Access to keyvault - key not found
• [Classic] Operation performed with keyvault
• Errors in the last 7 days
• Duration of Capture failure
• Join request for client
• Access to keyvault - key not found
• Operation performed with keyvault
• [Classic] How active has this KeyVault been?
• [Classic] Who is calling this KeyVault?
• [Classic] Are there any slow requests?
• [Classic] How fast is this KeyVault serving requests?
• [Classic] Are there any failures?
• [Classic] What changes occurred last month?
• [Classic] List all input deserialization errors
• [Classic] Find In AzureDiagnostics
• Total billable executions
• Logic App execution distribution by workflows
• Logic App execution distribution by status
• Triggered failures count
• Requests per hour
• Non-SSL requests per hour
• Failed requests per hour
• Errors by user agent
• Errors by URI
• Top 10 Client IPs
• Top HTTP versions
• Network security events
• Requests per hour
• Forwarded backend requests by routing rule
• Request errors by host and path
• Request errors by user agent
• Top 10 client IPs and http versions
• Firewall blocked request count per hour
• Top 20 blocked clients by IP and rule
• Firewall request count by host, path, rule, and action
• Application rule log data
• Network rule log data
• Threat Intelligence rule log data
• Azure Firewall log data
• Azure Firewall DNS proxy log data
• BGP route table
• BGP informational messages
• Endpoints with monitoring Status down
• Successful P2S connections
• Failed P2S connections
• Gateway configuration changes
• S2S tunnel connet/disconnect events
• BGP route updates
• Show logs from AzureDiagnostics table
• Failed backup jobs
• [Classic] List Management operations
• [Classic] Error Summary
• [Classic] Keyvault access attempt - key not found
• [Classic] AutoDeleted entities
• [Classic] Keyvault performed operational
• Management operations in the last 7 days
• Errors summary
• Keyvault access attempt - key not found
• AutoDeleted entities
• Keyvault performed operational
• Storage on managed instances above 90%
• CPU utilization treshold above 95% on managed instances
• Display all active intelligent insights
• Wait stats
• List all input data errors
• List all input deserialization errors
• List all InvalidInputTimeStamp errors
• List all InvalidInputTimeStampKey errors
• Events that arrived late
• Events that arrived early
• Events that arrived out of order
• All output data errors
• List all RequiredColumnMissing errors
• List all ColumnNameInvalid errors
• List all TypeConversionError errors
• List all RecordExceededSizeLimit errors
• List all DuplicateKey errors
• All logs with level "Error"
• Operations that have "Failed"
• Output Throttling logs (Cosmos DB, Power BI, Event Hubs)
• Transient input and output errors
• Summary of all data errors in the last 7 days
• Summary of all errors in the last 7 days
• Summary of 'Failed' operations in the last 7 days

AzureLoadTestingOperation

• Azure load test creation count
• Azure load test run creation count

AzureMetrics

• Pie chart of HTTP response codes
• Line chart of response times
• [Classic] Find In AzureMetrics
• Latest metrics
• Find In AzureMetrics
• ExpressRoute Circuit BitsInPerSecond traffic graph
• ExpressRoute Circuit BitsOutPerSecond traffic graph
• ExpressRoute Circuit ArpAvailablility graph
• ExpressRoute Circuit BGP availability
• Avg CPU usage
• Performance troubleshooting
• Loading Data
• P2S connection count
• P2S bandwidth utilization
• Gateway throughput
• Show logs from AzureMetrics table
• Show logs from AzureMetrics table
• Cluster availability (KeepAlive)

CCFApplicationLogs

• CCF application errors

CIEventsAudit

• CIEventsAudit - API response codes line chart
• CIEventsAudit - result type ClientError
• CIEventsAudit - security level Error
• CIEvents - all events for a specific correlation id
• CIEventsAudit - all events for a specific instance ID

CIEventsOperational

• CIEventsOperational - event type ApiEvent
• CIEventsOperational- event type WorkflowEvent
• CIEvents - all events for a specific correlation id
• CIEventsOperational - all events for a specific instance ID

CassandraLogs

• Cassandra logs
• Cassandra errors or warnings

ChaosStudioExperimentEventLogs

• Failed experiment runs
• Experiment events on last experiment run

CloudAppEvents

• File name extension change

CloudHsmServiceOperationAuditLogs

• Are there any slow requests?
• How active has this Cloud HSM been?
• Are there any failures?

CommonSecurityLog

• Palo Alto collector machine usage
• Cisco ASA events type usage
• Device events volume statistics

CommunicationComplianceActivity

• Office Communication Compliance events filtered by organization ID

ConfidentialWatchlist

• Get confidential Watchlist aliases
• Lookup events using a confidential Watchlist

ConfigurationChange

• Stopped Windows services
• Software changes
• Service changes
• Software change type per computer
• Stopped services
• Software change count per category
• Removed software changes

ConfigurationData

• Recent stopped auto services

ContainerAppConsoleLogs

• Latest Container App user errors

ContainerImageInventory

• Image inventory
• Find In ContainerImageInventory

ContainerInventory

• Container Lifecycle Information

ContainerLog

• Find a value in Container Logs Table
• Billable Log Data by log-type
• List container logs per namespace
• Find In ContainerLog

ContainerLogV2

• Find In ContainerLogV2

ContainerNodeInventory

• Find In ContainerNodeInventory

ContainerRegistryLoginEvents

• Show login events reported over the last hour

ContainerRegistryRepositoryEvents

• Show registry events reported over the last hour

ContainerServiceLog

• Find In ContainerServiceLog

CoreAzureBackup

• Backup Items by Vault and Backup item type

DCRLogErrors

• Ingestion and Transformation errors from data collection rules

DNSQueryLogs

• DNS queries by virtual network and return code

DataTransferOperations

• Discovered object
• Terminal object state

DatabricksWorkspaceLogs

• List all Databricks Diagnostic Settings categories

DataverseActivity

• Dataverse events filtered by operation type

DevCenterDiagnosticLogs

• Failed actions query

DevCenterResourceOperationLogs

• Hibernate Unsupported Check

DeviceCalendar

• Exchange Error

DeviceCleanup

• Cleanup Failure

DeviceHardwareHealth

• Hardware Minor
• Hardware Alert

DeviceHealth

• Software Alert

DeviceSkypeHeartbeat

• Skype Error

DeviceTvmSecureConfigurationAssessment

• Devices with antivirus configurations issue

DeviceTvmSoftwareInventory

• Unsupported software titles

DeviceTvmSoftwareVulnerabilities

• Devices affected by a specific vulnerability

DnsEvents

• Clients Resolving Malicious Domains

EGNFailedHttpDataPlaneOperations

• TLS 1.3 Lower query

EGNFailedMqttConnections

• Authentication error query

EGNMqttDisconnections

• Disconnections reason query
• Session disconnections query

EGNSuccessfulHttpDataPlaneOperations

• TLS 1.3 Lower query

EGNSuccessfulMqttConnections

• Session connections query

EmailAttachmentInfo

• Files from malicious sender
• Emails to external domains with attachments

EmailEvents

• Phishing emails from the top 10 sender domains
• Emails with malware

EmailPostDeliveryEvents

• Post-delivery administrator actions
• Unremediated post-delivery phishing email detections
• Full email processing details

EmailUrlInfo

• URLs in an email

Event

• Memory usage percentage
• Avg node CPU usage percentage
• Virtual machines failed
• Total virtual machines in a cluster.
• Available volume capacity in a cluster.
• Volume latency
• Volume IOPS
• Volume throughput
• Cluster node down
• Memory usage percentage
• Ingestion latency (end-to-end) timechart - Event table
• Show the trend of a selected event
• Error event on computer missing security co critical update
• All Events in the past hour
• Events started
• Events by event source
• Events by event ID
• Warning events
• Count of warning events
• Events in OM between 2000 to 3000
• Windows Fireawall policy settings
• Windows Fireawall policy settings changed by machines

FailedIngestion

• Failed ingestions by errors
• Failed ingestions timechart
• Failed Ingestions

FunctionAppLogs

• Show application logs from Function Apps
• Show logs with warnings or exceptions
• Error and exception count
• Function activity over time
• Function results
• Function Error rate

GCPAuditLogs

• PubSub subscription logs with severity info

Heartbeat

• Count heartbeats
• Last heartbeat of each computer
• Ingestion latency (end-to-end) spikes - Heartbeat table
• Agent latency spikes - Heartbeat table
• Recently stopped heartbeats - Heartbeat table
• Computers availability today
• Unavailable computers
• Availability rate
• Not reporting VMs
• Computers list
• Find In Heartbeat

IdentityDirectoryEvents

• Group Membership changed
• Password change event

IdentityLogonEvents

• LDAP authentication processes with cleartext passwords

IdentityQueryEvents

• SAMR queries to Active Directory

InsightsMetrics

• IoT Edge: Device offline or not sending messages upstream at expected rate
• IoT Edge: Edge Hub queue size over threshold
• Maximum node disk
• Prometheus disk read per second per node
• Find In InsightsMetrics
• What data is being collected?
• Virtual Machine available memory
• Chart CPU usage trends by computer
• Virtual Machine free disk space
• Track VM Availability using Heartbeat
• Top 10 Virtual Machines by CPU utilization
• Bottom 10 Free disk space %

KubeEvents

• Kubernetes events
• Find In KubeEvents

KubeMonAgentEvents

• Find In KubeMonAgentEvents

KubeNodeInventory

• Avg node CPU usage percentage per minute
• Avg node memory usage percentage per minute
• Readiness status per node
• Find In KubeNodeInventory

KubePodInventory

• Pods in crash loop
• Pods in pending state
• Find In KubePodInventory

KubeServices

• Find In KubeServices

LAQueryLogs

• Most Requested ResourceIds
• Unauthorized Users
• Throttled Users
• Request Count by ResponseCode
• Top 10 resource intensive queries
• Top 10 longest time range queries

LASummaryLogs

• Bin Rules Query Duration

LogicAppWorkflowRuntime

• Count of failed workflow operations from Logic App Workflow Runtime

MDCDetectionDNSEvents

• All DNS events where the domain queried was 'www.google.com' ordered by time

MDCDetectionFimEvents

• All FIM events for directories

MDCDetectionGatingValidationEvents

• All recent Gating validation events

MNFDeviceUpdates

• Find all entries where value is active
• Find all entries where value is up
• Find all events of the type VxlanVlanToVniVlan
• Find all entries where afisafiname is not of the type L2VPN_EVPN
• Find all entries where network instance name is of the type workload-mgmt

MNFSystemSessionHistoryUpdates

• Find all entries where session update user is admin

MNFSystemStateMessageUpdates

• Find all errors from Syslog

MicrosoftDataShareReceivedSnapshotLog

• List received snapshots by duration
• Count failed received snapshots
• Frequent errors in received snapshots
• Chart of daily received snapshots

MicrosoftDataShareSentSnapshotLog

• List sent snapshots by duration
• Count failed sent snapshots
• Frequent errors in sent snapshots
• Chart of daily sent snapshots

MicrosoftGraphActivityLogs

• Frequent users endpoint callers
• Failed groups endpoint requests

MicrosoftPurviewInformationProtection

• Microsoft Purview Information Protection events

NGXOperationLogs

• Show NGINXaaS access logs
• Show NGINXaaS error logs

NGXSecurityLogs

• Show NGINXaaS security logs

NWConnectionMonitorPathResult

• Path diagnostics

NWConnectionMonitorTestResult

• Failed tests
• Tests performance

NetworkSessions

• Get traffic to non standard ports
• High volume traffic to uncommon domains

OEPAirFlowTask

• DAG type vs DAG runs summary statitics
• Correlation IDs of all DAG runs
• Logs of a DAG run
• Error logs of a DAG run

OLPSupplyChainEntityOperations

• Count of successful warehouse delete requests

OfficeActivity

• All Office Activity
• Users accessing files
• File upload operation
• Office activity for user
• Creation of Forward rule
• Suspicious file name

Perf

• Non-RDMA activity
• RDMA activity
• What data is being collected?
• Memory and CPU usage
• CPU usage trends over the last day
• Top 10 computers with the highest disk space
• What data is being collected?
• Virtual Machine available memory
• Chart CPU usage trends
• Virtual Machine free disk space
• Top 10 Virtual Machines by CPU utilization
• Bottom 10 Free disk space %
• Container CPU
• Container memory
• Instances Avg CPU usage growth from last week
• Find In Perf

PowerAppsActivity

• Power Apps events filtered activity type

PowerAutomateActivity

• Power Automate events filtered by activity type

PowerBIActivity

• PowerBI events filtered by organization ID

PowerPlatformAdminActivity

• Power Platform administration events

PowerPlatformConnectorActivity

• Power Platform Connector events filtered by by activity type

PowerPlatformDlpActivity

• Power Platform DLP events filtered by by activity type

ProjectActivity

• MS Project events filtered by organization ID

ProtectionStatus

• Signatures out of date
• Protection Status updates
• Malware detection

PurviewSecurityLogs

• Audit collection delete events

REDConnectionEvents

• Unique authenticated Redis client IP addresses
• Redis client authentication requests per hour
• Redis client connections per hour
• Redis client disconnections per hour
• Unsuccessful authentication attempts on Redis cache

ResourceManagementPublicAccessLogs

• Group number of requests based on the IP address
• Number of opertions triggered
• Calls based on the target URI
• Calls based on operation name
• Calls based on user

SQLAssessmentRecommendation

• SQL Recommendations by Focus Area
• SQL Recommendations by Computer
• SQL Recommendations by Instance
• SQL Recommendations by Database
• SQL Recommendations by AffectedObjectType
• How many times did each unique SQL Recommendation trigger?
• High priority SQL Assessment recommendations

SecurityAttackPathData

• All attack paths by specific risk level

SecurityEvent

• Security Events most common event IDs
• Members added to security groups
• Uses of clear text password
• Windows failed logins
• All Security Activities
• Security Activities on the Device
• Security Activities for Admin
• Logon Activity by Device
• Devices With More Than 10 Logons
• Accounts Terminated Antimalware
• Devices with Antimalware Terminated
• Devices Where Hash Was Executed
• Process Names Executed
• Devices With Security Log Cleared
• Logon Activity by Account
• Accounts With Less Than 5 Times Logons
• Remoted Logged Accounts on Devices
• Computers With Guest Account Logons
• Members Added to Security Enabled Groups
• Domain Security Policy Changes
• System Audit Policy Changes
• Suspicious Executables
• Logons With Clear Text Password
• Computers With Cleaned Event Logs
• Accounts Failed to Logon
• Locked Accounts
• Change or Reset Passwords Attempts
• Groups Created or Modified
• Remote Procedure Call Attempts
• User Accounts Changed

SentinelAudit

• Failures updating Office365-Sharepoint related Sentinel resources

SignalRServiceDiagnosticLogs

• Client connection IDs
• Connection close reasons
• IP addresses
• Logs relating to specific connection ID
• Logs relating to specific message tracing ID
• Logs relating to specific user ID
• Logs with warning or exceptions
• Server connection IDs
• Time chart of operation names
• Transport types
• User IDs

SigninLogs

• All SiginLogs events
• Resources accessed by user
• User count per Resource
• User count per Application
• Failed Signin reasons
• Failed MFA challenge
• Failed App tried silent signin
• Failed login Count
• Signin Locations
• Logins To Resource

StorageBlobLogs

• Most common errors
• Operations causing most errors
• Operations with the highest latency
• Operations causing server side throttling
• Show anonymous requests
• Frequent operations chart

StorageCacheOperationEvents

• Failed operation
• Failed priming job
• Completed long-running asynchronous operations

StorageCacheUpgradeEvents

• Upgrade events

StorageCacheWarningEvents

• Active warning events

StorageMalwareScanningResults

• Malicious blobs per storage account
• Unsuccessful Scans

SucceededIngestion

• Succeeded ingestions
• Succeeded ingestions timechart

SynapseLinkEvent

• Synapse Link table fail events

Syslog

• Find Linux kernel events
• All Syslog
• All Syslog with errors
• All Syslog by facility
• All Syslog by process name
• Users Added to Linux Group by Computer
• New Linux Group Created by Computer
• Failed Linux User Password Change
• Computers With Failed Ssh Logons
• Computers With Failed Su Logons
• Computers With Failed Sudo Logons

TSIIngress

• Show event source connection errors
• 10 latest Ingress logs
• Show deserialization errors

UCDOAggregatedStatus

• Content distribution in Gigabytes

UCDOStatus

• Device configuration

Update

• Missing security or critical updates
• Updates available for Windows machines
• Updates available for Linux machines
• Missing updates summary
• Missing updates list
• Computer with missing updates
• Missing required updates for server
• Missing critical security updates
• Missing security or critical where update is manual
• Missing update rollups
• Distinct missing updates cross computers

UpdateRunProgress

• Patch installation failure for your machines

UpdateSummary

• Summary of updates available across machines
• Missing update specific product
• Automatic update configuration
• Automatic update configuration is disabled

UrlClickEvents

• Links where a user was allowed to proceed

Usage

• Usage by data types
• Billable performance data
• Volume of solutions' data
• Total workspace ingestion over the last 24 hours
• Container Insight solution billable data

VCoreMongoRequests

• Mongo vCore requests P99 duration by operation
• Mongo vCore requests binned by duration
• Failed Mongo vCore requests
• Mongo vCore requests by user agent

VIAudit

• Video Indexer Audit by account id
• Video Indexer Audit top 10 users by operations
• Video Indexer Audit parsed error message
• Video Indexer Audit failed operations

VIIndexing

• Failed Indexing operations
• Top 10 users

W3CIISLog

• List IIS log entries
• Display breakdown respond codes
• Maximum time taken for each page
• Show 404 pages list
• Average HTTP request time
• Servers with internal server error
• Count IIS log entries by HTTP request method
• Count IIS log entries by HTTP user agent
• Count IIS log entries by client IP address
• IIS log entries for client IP
• Count of IIS log entries by URL
• Count of IIS log entries by host
• Total bytes traffic by client IP
• Bytes received by each IIS computer
• Bytes responded to clients by each IIS server IP
• Average HTTP request time by client IP

WVDAgentHealthStatus

• Active sessions on SessionHost
• HealthChecks of SessionHost

WVDCheckpoints

• Published remote resources by count of users

WVDConnectionNetworkData

• Average round-trip time over time
• Average BW across all connections
• Top 10 users with the highest round-trip time
• Top 10 users with lowest bandwidth
• Summary of Round-trip time and bandwidth

WVDConnections

• Connection Errors
• Session duration
• Top 10 users by average connection duration
• Top 10 most active users
• Average connection duration by hostpool
• Client-side operating system information by user count
• Azure Virtual Desktop client usage information
• Average session logon time

WVDErrors

• Top 10 connection errors
• Top 10 feed errors

WaaSDeploymentStatus

• Update deployment failures
• Devices pending reboot to complete update
• Devices with a Safeguard Hold
• Target build distribution of devices with a safeguard hold

WaaSUpdateStatus

• Distribution of device Servicing Branch
• Distribution of device OS Edition
• Feature Update Deferral Configurations
• Feature Update Pause Configurations
• Quality Update Deferral Configurations
• Quality Update Pause Configurations

Watchlist

• Get Watchlist aliases
• Lookup events using a Watchlist

WindowsEvent

• WindowsEvent Audit Policy Events

WireData

• Agents that provide wire data
• IP Addresses of the agents providing wire data
• All Outbound communications by Remote IP Address
• Bytes sent by Application Protocol
• Bytes received by Protocol Name
• Total bytes by IP version
• Remote IP addresses that have communicated with agents on the subnet '10.0.0.0/8' (any direction)
• Processes that initiated or received network traffic
• Amount of Network Traffic by Process

WorkloadDiagnosticLogs

• Workload Monitoring Insights data collection warnings or errors

Next steps

• Analyze logs from Azure storage with Log Analytics
• Learn more about resource logs
• Change resource log diagnostic settings using the Azure Monitor REST API