Audit queries in Azure Monitor Logs
Log query audit logs provide telemetry about log queries run in Azure Monitor. This includes information such as when a query was run, who ran it, what tool was used, the query text, and performance statistics describing the query's execution.
Configure query auditing
Query auditing is enabled with a diagnostic setting on the Log Analytics workspace. This allows you to send audit data to the current workspace or any other workspace in your subscription, to Azure Event Hubs to send outside of Azure, or to Azure Storage for archiving.
Azure portal
Access the diagnostic setting for a Log Analytics workspace in the Azure portal in either of the following locations:
From the Azure Monitor menu, select Diagnostic settings, and then locate and select the workspace.
From the Log Analytics workspaces menu, select the workspace, and then select Diagnostic settings.
Resource Manager template
You can get an example Resource Manager template from Diagnostic setting for Log Analytics workspace.
Audit data
An audit record is created each time a query is run. If you send the data to a Log Analytics workspace, it's stored in a table called LAQueryLogs. The following table describes the properties in each record of the audit data.
| Field | Description |
|---|---|
| TimeGenerated | UTC time when query was submitted. |
| CorrelationId | Unique ID to identify the query. Can be used in troubleshooting scenarios when contacting Microsoft for assistance. |
| AADObjectId | Microsoft Entra ID of the user account that started the query. |
| AADTenantId | ID of the tenant of the user account that started the query. |
| AADEmail | Email of the tenant of the user account that started the query. |
| AADClientId | ID and resolved name of the application used to start the query. |
| RequestClientApp | Resolved name of the application used to start the query. For more information, see request client app.. |
| QueryTimeRangeStart | Start of the time range selected for the query. This may not be populated in certain scenarios such as when the query is started from Log Analytics, and time range is specified inside the query rather than the time picker. |
| QueryTimeRangeEnd | End of the time range selected for the query. This may not be populated in certain scenarios such as when the query is started from Log Analytics, and time range is specified inside the query rather than the time picker. |
| QueryText | Text of the query that was run. |
| RequestTarget | API URL was used to submit the query. |
| RequestContext | List of resources that the query was requested to run against. Contains up to three string arrays: workspaces, applications, and resources. Subscription or resource group-targeted queries will show as resources. Includes the target implied by RequestTarget. The resource ID for each resource will be included if it can be resolved. It may not be able to resolved if an error is returned in accessing the resource. In this case, the specific text from the query will be used. If the query uses an ambiguous name, such as a workspace name existing in multiple subscriptions, this ambiguous name will be used. |
| RequestContextFilters | Set of filters specified as part of the query invocation. Includes up to three possible string arrays: - ResourceTypes - type of resource to limit the scope of the query - Workspaces - list of workspaces to limit the query to - WorkspaceRegions - list of workspace regions to limit the query |
| ResponseCode | HTTP response code returned when the query was submitted. |
| ResponseDurationMs | Time for the response to be returned. |
| ResponseRowCount | Total number of rows returned by the query. |
| StatsCPUTimeMs | Total compute time used for computing, parsing and data fetching. Only populated if query returns with status code 200. |
| StatsDataProcessedKB | Amount of data that was accessed to process the query. Influenced by the size of the target table, time span used, filters applied, and the number of columns referenced. Only populated if query returns with status code 200. |
| StatsDataProcessedStart | Time of oldest data that was accessed to process the query. Influenced by the query explicit time span and filters applied. This might be larger than the explicit time span due to data partitioning. Only populated if query returns with status code 200. |
| StatsDataProcessedEnd | Time of newest data that was accessed to process the query. Influenced by the query explicit time span and filters applied. This might be larger than the explicit time span due to data partitioning. Only populated if query returns with status code 200. |
| StatsWorkspaceCount | Number of workspaces accessed by the query. Only populated if query returns with status code 200. |
| StatsRegionCount | Number of regions accessed by the query. Only populated if query returns with status code 200. |
Request Client App
| RequestClientApp | Description |
|---|---|
| AAPBI | Log Analytics integration with Power BI. |
| AppAnalytics | Experiences of Log Analytics in the Azure portal. |
| AppInsightsPortalExtension | Workbooks or Application insights. |
| ASC_Portal | Microsoft Defender for Cloud. |
| ASI_Portal | Sentinel. |
| AzureAutomation | Azure Automation. |
| AzureMonitorLogsConnector | Azure Monitor Logs Connector. |
| csharpsdk | Log Analytics Query API. |
| Draft-Monitor | Log search alert creation in the Azure portal. |
| Grafana | Grafana connector. |
| IbizaExtension | Experiences of Log Analytics in the Azure portal. |
| infraInsights/container | Container insights. |
| infraInsights/vm | VM insights. |
| LogAnalyticsExtension | Azure Dashboard. |
| LogAnalyticsPSClient | Log Analytics Query API. |
| OmsAnalyticsPBI | Log Analytics integration with Power BI. |
| PowerBIConnector | Log Analytics integration with Power BI. |
| Sentinel-Investigation-Queries | Sentinel. |
| Sentinel-DataCollectionAggregator | Sentinel. |
| Sentinel-analyticsManagement-customerQuery | Sentinel. |
| Unknown | Log Analytics Query API. |
| UpdateManagement | Update Management. |
Considerations
- Queries are only logged when executed in a user context. No Service-to-Service within Azure will be logged. The two primary sets of queries this exclusion encompasses are billing calculations and automated alert executions. In the case of alerts, only the scheduled alert query itself won't be logged; the initial execution of the alert in the alert creation screen is executed in a user context, and will be available for audit purposes.
- Performance statistics aren't available for queries coming from the Azure Data Explorer proxy. All other data for these queries will still be populated.
- The h hint on strings that obfuscates string literals won't have an effect on the query audit logs. The queries will be captured exactly as submitted without the string being obfuscated. You should ensure that only users who have compliance rights to see this data are able to do so using the various Kubernetes RBAC or Azure RBAC modes available in Log Analytics workspaces.
- For queries that include data from multiple workspaces, the query will only be captured in those workspaces to which the user has access.
Costs
There's no cost for Azure Diagnostic Extension, but you may incur charges for the data ingested. Check Azure Monitor pricing for the destination where you're collecting data.
Next steps
- Learn more about diagnostic settings.
- Learn more about optimizing log queries.