need help on Creating a log analytics report - for "Resource changes that were done manually"

Ankita Rani Patro 176 Reputation points
2023-05-15T21:28:02.0733333+00:00

I wanted to create a quesry to see all changes done manually by user with virtual machine. we should use devops but peaople are manually changing configuration. so wanted to create a query to validate

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,922 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Monalla-MSFT 12,596 Reputation points
    2023-05-16T17:04:37.17+00:00

    @Ankita Rani Patro - Thanks for reaching out to us.

    To create a log analytics report for resource changes that were done manually, you can use the Azure Monitor Change Analysis feature.

    Here are the steps to create a log analytics report for resource changes that were done manually:

    Go to the Azure portal and navigate to the Log Analytics workspace that you want to use for the report.

    Click on "Logs" in the left-hand menu.

    In the query editor, enter the following query:

    AzureActivity
    | where OperationNameValue == "Microsoft.Resources/deployments/write"
    | where ActivityStatus == "Succeeded"
    | where ResourceProviderValue == "Microsoft.Resources"
    | where ResourceGroup != ""
    | where Caller != ""
    | where DeploymentName != ""
    | where DeploymentStatus == "Succeeded"
    | where DeploymentScope == "ResourceGroup"
    | where DeploymentType == "Incremental"
    | where DeploymentTemplateLink.uri != ""
    | where DeploymentTemplateLink.uri contains "https://management.azure.com/"
    | where DeploymentTemplateLink.uri !contains "/providers/Microsoft.Resources/deployments/"
    | where DeploymentTemplateLink.uri !contains "/providers/Microsoft.Resources/subscriptions/"
    | where DeploymentTemplateLink.uri !contains "/providers/Microsoft.Resources/resourceGroups/"
    | where DeploymentTemplateLink.uri !contains "/providers/Microsoft.Resources/providers/"
    | where DeploymentTemplateLink.uri !contains "/providers/Microsoft.Resources/policyDefinitions/"
    | where DeploymentTemplateLink.uri !contains "/providers/Microsoft.Resources/policyAssignments/"
    | where DeploymentTemplateLink.uri !contains "/providers/Microsoft.Resources/links/"
    | where DeploymentTemplateLink.uri !contains "/providers/Microsoft.Resources/tags/"
    | where DeploymentTemplateLink.uri !contains "/providers/Microsoft.Resources/managedBy/"
    | where DeploymentTemplateLink.uri !contains "/providers/Microsoft.Resources/aliases/"
    | project TimeGenerated, Caller, ResourceGroup, DeploymentName, DeploymentTemplateLink.uri
    

    This query will return a list of all successful deployments that were done manually.

    Click on "Run" to execute the query.

    Once the query has finished running, click on "Export" and select "CSV" to export the results to a CSV file.

    Hope this helps. and please feel free to reach out if you have any further questions.


    If the above response was helpful, please feel free to "Accept as Answer" and click "Yes" so it can be beneficial to the community.