Question regarding powershell script.

Question

I prepared a powershell script which will fetch the list the resources created on azure in last 30 days.

Get-AzLog -StartTime (Get-Date).AddDays(-30) -EndTime (Get-Date) -Status "Succeeded"

`

| Where-Object { $.ResourceGroupName -ne "" -and $.OperationName -like " *Create *"
*
I just wanted to confirm if any resources created in azure then in activity logs, is it always an operationName logs will be generated which must contains create word in their operation name.

E.g.

For storage account created OperationName is like "Update Storage Account Create"
For VM created OperationName is like "Create or Update Virtual Machine"

So, for this two we have create word somwhere in operationname.

Can I be sure that if I create any resources in azure it must conatins word create

Answer 1

Hello Jawed,

If we see the operations of Azure resources, the create and update will be both under operation of "write" for most of the resources: https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations. In this case, filtering "create" in operation names may have exact results of updating resources.

Per the document for schema of activity logs: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema#administrative-category, we can see the creation of resources should be under administrative catogery. Checking into the properties, we may use httpRequest or subStatus as reference as these properties could indicate the HTTP opeation "PUT" or "201 Created":

However, there are various of kinds of Azure resources. Some of them may have their own log schema. You will always need to check per resource type before you can confirm the query you used can apply expectedly.

Best Regards,

Ian Xue

---

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.