Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
[Classic] Find In AzureActivity
[Classic] Find in AzureActivity to search for a specific value in the AzureActivity table./nNote that this query requires updating the <SeachValue> parameter to produce results
// This query requires a parameter to run. Enter value in SearchValue to find in table.
let SearchValue = "<SearchValue>";//Please update term you would like to find in the table.
AzureActivity
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where * contains tostring(SearchValue)
| take 1000
Shut down Virtual Machines
Virtual Machines successfully shut down in the last 10 minutes.
// To create an alert for this query, click '+ New alert rule'
AzureActivity
| where TimeGenerated > ago(10m)
| where OperationName == "Deallocate Virtual Machine" and ActivityStatus == "Succeeded"
Latest 50 logs
Show the latest Azure Activity logs for this resource.
AzureActivity
| top 50 by TimeGenerated desc
Operations' status
Show the latest Azure activity log for each operation.
AzureActivity
| summarize arg_max(TimeGenerated, *) by OperationName
Recent Azure Activity logs
Display all Azure Activity logs from the last hour.
AzureActivity
| where Level == "Error" or Level == "Warning"
| project TimeGenerated, Level, ResourceProvider, ActivityStatus, Caller, Category, Properties, CorrelationId
Failed operations
List all reports of failed operations, over the past hour.
AzureActivity
| where TimeGenerated > ago(1h)
| where ActivityStatus == "Failed"
Resources creation
List created Azure resources. Can be useful for monitoring and alerts.
AzureActivity
| where OperationNameValue has "Microsoft.Resources/deployments/write"
| where CategoryValue == "Administrative"
| where ActivityStatusValue == "Success"
| project Caller, TimeGenerated, _ResourceId
Find In AzureActivity
Find in AzureActivity to search for a specific value in the AzureActivity table./nNote that this query requires updating the <SeachValue> parameter to produce results
// This query requires a parameter to run. Enter value in SearchValue to find in table.
let SearchValue = "<SearchValue>";//Please update term you would like to find in the table.
AzureActivity
| where ResourceProvider == "Microsoft.ContainerService"
| where * contains tostring(SearchValue)
| take 1000
Show logs from AzureActivity table
Lists the latest logs in AzureActivity table, sorted by time (latest first).
AzureActivity
| top 10 by TimeGenerated
Show logs from AzureActivity table
Lists the latest logs in AzureActivity table, sorted by time (latest first).
AzureActivity
| top 10 by TimeGenerated
Display top 50 Activity log events
Display top 50 Activity log events.
AzureActivity
| project TimeGenerated, SubscriptionId, ResourceGroup,ResourceProviderValue,OperationNameValue,CategoryValue,CorrelationId,ActivityStatusValue, ActivitySubstatusValue, Properties_d, Caller
| top 50 by TimeGenerated
Display Activity log Administrative events
Displays Activity log for Administrative category.
AzureActivity
| where CategoryValue == "Administrative"
| order by TimeGenerated desc
VM creation
This query displays results of when a VM is created.
AzureActivity
| where TimeGenerated >= ago(1d)
| where OperationNameValue == "MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE" and ActivityStatusValue == "Start"
| where Authorization_d.action == "Microsoft.Compute/virtualMachines/write"
| project OperationNameValue, ActivityStatusValue, VM_Name=Properties_d.resource, ResourceGroup, SubscriptionId, Created_By=Caller
Display Activity log events generated from Policy
Display top 100 records of all effect action operations performed by Azure Policy.
AzureActivity
| project TimeGenerated, SubscriptionId, ResourceProviderValue, OperationNameValue, Caller, CategoryValue, CorrelationId, ActivityStatusValue, Properties_d
| where OperationNameValue has "audit"
| top 100 by TimeGenerated desc
List callers and their associated action in last 48 hours
List callers and their associated action in last 48 hours.
AzureActivity
| where TimeGenerated > ago(2d)
| project Caller, OperationNameValue, ActivityStatusValue, CategoryValue
| where Caller has "@"
All Azure Activity
The query presents all AzureActivity events.
AzureActivity
| project TimeGenerated, Caller, OperationName, ActivityStatus, _ResourceId
Azure Activity for user
Show the user's activity over Azure Activity.
// Replace the UPN in the query with the UPN of the user of interest
let v_Users_UPN= "osotnoc@contoso.com";
AzureActivity
| where Caller == v_Users_UPN
| project TimeGenerated, Caller, OperationName, ActivityStatus
Successful key enumaration
Lists users who performed key enumeration, and their location.
AzureActivity
| where OperationName == "List Storage Account Keys"
| where ActivityStatus == "Succeeded"
| project TimeGenerated, Caller, CallerIpAddress, OperationName
Network Access JIT initiation
Lists the initiation of JIT network access permissions.
AzureActivity
| where OperationName == "Initiate JIT Network Access Policy"
| where ActivityStatus == "Started"
Azure Activity operation statistics
Statistics of operations over Azure Activity.
AzureActivity
| summarize Count=count() by OperationName, _ResourceId
| sort by Count desc nulls last