AzureActivity
Entries from the Azure Activity log that provides insight into any subscription-level or management group level events that have occurred in Azure.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | microsoft.aad/domainservices, microsoft.apimanagement/service, microsoft.appconfiguration/configurationstores, microsoft.network/applicationgateways, microsoft.servicenetworking/trafficcontrollers, microsoft.web/sites, microsoft.kubernetes/connectedclusters, microsoft.toolchainorchestrator/diagnostics, microsoft.attestation/attestationproviders, microsoft.cache/redis, microsoft.cdn/profiles, microsoft.hardwaresecuritymodules/cloudhsmclusters, microsoft.communication/communicationservices, microsoft.documentdb/databaseaccounts, microsoft.datacollaboration/workspaces, microsoft.digitaltwins/digitaltwinsinstances, microsoft.network/dnsresolverpolicies, microsoft.eventgrid/namespaces, microsoft.eventgrid/topics, microsoft.eventhub/namespaces, microsoft.network/azurefirewalls, microsoft.dashboard/grafana, microsoft.keyvault/vaults, microsoft.containerservice/managedclusters, microsoft.loadtestservice/loadtests, microsoft.managednetworkfabric/networkdevices, microsoft.documentdb/cassandraclusters, microsoft.network/loadbalancers, microsoft.networkcloud/baremetalmachines, microsoft.networkcloud/clustermanagers, microsoft.networkcloud/clusters, microsoft.networkcloud/storageappliances, microsoft.purview/accounts, microsoft.recoveryservices/vaults, microsoft.relay/namespaces, microsoft.servicebus/namespaces, microsoft.networkfunction/azuretrafficcollectors, microsoft.network/networkmanagers, microsoft.botservice/botservices, microsoft.chaos/experiments, microsoft.cognitiveservices/accounts, microsoft.connectedcache/cachenodes, microsoft.connectedvehicle/platformaccounts, microsoft.network/networkwatchers/connectionmonitors, microsoft.app/managedenvironments, microsoft.d365customerinsights/instances, microsoft.databricks/workspaces, microsoft.dbformysql/flexibleservers, microsoft.dbforpostgresql/flexibleservers, microsoft.dbforpostgresql/servergroupsv2, microsoft.devcenter/devcenters, microsoft.devopsinfrastructure/pools, microsoft.experimentation/experimentworkspaces, microsoft.hdinsight/clusters, microsoft.compute/virtualmachines, microsoft.logic/integrationaccounts, microsoft.machinelearningservices/workspaces, microsoft.machinelearningservices/registries, microsoft.media/mediaservices, microsoft.azureplaywrightservice/accounts, microsoft.graph/tenants, microsoft.networkanalytics/dataproducts, microsoft.storage/storageaccounts, microsoft.storagecache/amlfilesytems, microsoft.storagemover/storagemovers, microsoft.synapse/workspaces, microsoft.desktopvirtualization/hostpools, default, subscription, resourcegroup, microsoft.signalrservice/webpubsub, microsoft.insights/components, microsoft.desktopvirtualization/applicationgroups, microsoft.desktopvirtualization/workspaces, microsoft.timeseriesinsights/environments, microsoft.workloadmonitor/monitors, microsoft.analysisservices/servers, microsoft.batch/batchaccounts, microsoft.appplatform/spring, microsoft.signalrservice/signalr, microsoft.containerregistry/registries, microsoft.kusto/clusters, microsoft.blockchain/blockchainmembers, microsoft.eventgrid/domains, microsoft.eventgrid/partnernamespaces, microsoft.eventgrid/partnertopics, microsoft.eventgrid/systemtopics, microsoft.conenctedvmwarevsphere/virtualmachines, microsoft.azurestackhci/virtualmachines, microsoft.scvmm/virtualmachines, microsoft.compute/virtualmachinescalesets, microsoft.hybridcontainerservice/provisionedclusters, microsoft.insights/autoscalesettings, microsoft.devices/iothubs, microsoft.servicefabric/clusters, microsoft.logic/workflows, microsoft.automation/automationaccounts, microsoft.datafactory/factories, microsoft.datalakestore/accounts, microsoft.datalakeanalytics/accounts, microsoft.powerbidedicated/capacities, microsoft.datashare/accounts, microsoft.sql/managedinstances, microsoft.sql/servers, microsoft.sql/servers/databases, microsoft.dbformysql/servers, microsoft.dbforpostgresql/servers, microsoft.dbforpostgresql/serversv2, microsoft.dbformariadb/servers, microsoft.devices/provisioningservices, microsoft.network/expressroutecircuits, microsoft.network/frontdoors, microsoft.network/networkinterfaces, microsoft.network/networksecuritygroups, microsoft.network/publicipaddresses, microsoft.network/trafficmanagerprofiles, microsoft.network/virtualnetworkgateways, microsoft.network/vpngateways, microsoft.network/virtualnetworks, microsoft.search/searchservices, microsoft.streamanalytics/streamingjobs, microsoft.network/bastionhosts, microsoft.healthcareapis/services |
| Categories | Azure Resources, Audit, Security |
| Solutions | LogManagement |
| Basic log | No |
| Ingestion-time transformation | No |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| ActivityStatus | string | |
| ActivityStatusValue | string | Status of the operation in display-friendly format. Common values include Started, In Progress, Succeeded, Failed, Active, Resolved. |
| ActivitySubstatus | string | |
| ActivitySubstatusValue | string | Substatus of the operation in display-friendly format. E.g. OK (HTTP Status Code: 200). |
| Authorization | string | Blob of RBAC properties of the event. Usually includes the "action", "role" and "scope" properties. Stored as string. The use of Authorization_d should be preferred going forward. |
| Authorization_d | dynamic | Blob of RBAC properties of the event. Usually includes the "action", "role" and "scope" properties. Stored as dynamic column. |
| _BilledSize | real | The record size in bytes |
| Caller | string | GUID of the caller. |
| CallerIpAddress | string | IP address of the user who has performed the operation UPN claim or SPN claim based on availability. |
| Category | string | |
| CategoryValue | string | Category of the activity log e.g. Administrative, Policy, Security. |
| Claims | string | The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager. The use of claims_d should be preferred going forward. |
| Claims_d | dynamic | The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager. |
| CorrelationId | string | Usually a GUID in the string format. Events that share a correlationId belong to the same uber action. |
| EventDataId | string | Unique identifier of an event. |
| EventSubmissionTimestamp | datetime | Timestamp when the event became available for querying. |
| Hierarchy | string | Management group hierarchy of the management group or subscription that event belongs to. |
| HTTPRequest | string | Blob describing the Http Request. Usually includes the "clientRequestId", "clientIpAddress" and "method" (HTTP method. For example, PUT). |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| Level | string | Level of the event. One of the following values: Critical, Error, Warning, Informational and Verbose. |
| OperationId | string | GUID of the operation |
| OperationName | string | |
| OperationNameValue | string | Identifier of the operation e.g. Microsoft.Storage/storageAccounts/listAccountSas/action. |
| Properties | string | Set of <Key Value> pairs (i.e. Dictionary) describing the details of the event. Stored as string. Usage of Properties_d is recommended instead. |
| Properties_d | dynamic | Set of <Key Value> pairs (i.e. Dictionary) describing the details of the event. Stored as dynamic column. |
| Resource | string | |
| ResourceGroup | string | Resource group name of the impacted resource. |
| ResourceId | string | |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| ResourceProvider | string | |
| ResourceProviderValue | string | Id of the resource provider for the impacted resource - e.g. Microsoft.Storage. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| SubscriptionId | string | Subscription ID of the impacted resource. |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Timestamp when the event was generated by the Azure service processing the request corresponding the event. |
| Type | string | The name of the table |