AzureActivity

Entries from the Azure Activity log that provides insight into any subscription-level or management group level events that have occurred in Azure.

Categories

  • Azure Resources
  • Audit
  • Security

Solutions

  • LogManagement

Resource types

  • Microsoft App Configuration
  • Data Lake Storage Gen1
  • Recovery Services Vaults
  • Data factories
  • Automation account
  • API Management services
  • Logic Apps
  • Service Fabric Clusters
  • IoT Hub
  • Azure Monitor autoscale settings
  • Azure Databricks Services
  • Data Lake Analytics
  • Azure Arc Provisioned Clusters
  • Virtual Machine Scale Sets
  • System Center Virtual Machine Manager
  • Azure Stack HCI
  • VMware
  • Event Grid System Topics
  • Event Grid Partner Topics
  • Event Grid Partner Namespaces
  • Event Grid Domains
  • Azure Blockchain Service
  • Azure AD Domain Services
  • Azure Arc Enabled Kubernetes
  • Azure Data Explorer Clusters
  • Power BI Embedded
  • SQL Managed Instances
  • Bastions
  • Stream Analytics jobs
  • Search Services
  • Virtual Networks
  • Virtual Private Network Gateways
  • Virtual Network Gateways
  • Traffic Manager Profiles
  • Public IP Addresses
  • Network Security Groups
  • Network Interfaces
  • Data Share
  • Load Balancers
  • ExpressRoute Circuits
  • Application Gateways
  • Event Hubs
  • Device Provisioning Services
  • Azure Database for MariaDB Servers
  • Azure Database for PostgreSQL Servers V2
  • Azure Database for PostgreSQL Servers
  • Azure Database for MySQL Servers
  • SQL Databases
  • SQL Servers
  • Front Doors
  • Azure API for FHIR
  • Container Registries
  • Storage Accounts
  • Network Watcher - Connection Monitor
  • Microsoft Connected Vehicle Platform
  • Microsoft Connected Cache
  • Bot Services
  • Azure Virtual Network Manager
  • Azure Traffic Collector
  • Microsoft.Purview/accounts
  • Kubernetes Services
  • Azure Managed Instance for Apache Cassandra
  • Azure Load Testing
  • Container Apps
  • Key Vaults
  • Firewalls
  • Event Grid Topics
  • Azure Digital Twins
  • Project CI Workspace
  • Azure Cosmos DB
  • Communication Services
  • Azure Cache for Redis
  • Azure Attestation
  • Azure Autonomous Development Platform workspace
  • App Services
  • Azure Managed Workspace for Grafana
  • SignalR
  • Dynamics 365 Customer Insights
  • Dev Centers
  • Cognitive Services
  • Azure Spring Cloud
  • CDN Profiles
  • Batch Accounts
  • Analysis Services
  • Workload Monitor
  • Time Series Insights Environments
  • Desktop Virtualization workspaces
  • Desktop Virtualization Application Groups
  • Application Insights
  • Azure Database for PostgreSQL Flexible Servers
  • SignalR Service WebPubSub
  • Azure Subscription
  • Default schema for a resource
  • Desktop Virtualization Host Pools
  • Synapse Workspaces
  • Azure Storage Mover
  • Virtual machines
  • Media Services
  • Machine Learning
  • HDInsight Clusters
  • Experiment Workspace
  • Azure Resource Group
  • Service Bus

Columns

Column Type Description
ActivityStatus string
ActivityStatusValue string Status of the operation in display-friendly format. Common values include Started, In Progress, Succeeded, Failed, Active, Resolved.
ActivitySubstatus string
ActivitySubstatusValue string Substatus of the operation in display-friendly format. E.g. OK (HTTP Status Code: 200).
Authorization string Blob of RBAC properties of the event. Usually includes the “action”, “role” and “scope” properties. Stored as string. The use of Authorization_d should be preferred going forward.
Authorization_d dynamic Blob of RBAC properties of the event. Usually includes the “action”, “role” and “scope” properties. Stored as dynamic column.
Caller string GUID of the caller.
CallerIpAddress string IP address of the user who has performed the operation UPN claim or SPN claim based on availability.
Category string
CategoryValue string Category of the activity log e.g. Administrative, Policy, Security.
Claims string The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager. The use of claims_d should be preferred going forward.
Claims_d dynamic The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager.
CorrelationId string Usually a GUID in the string format. Events that share a correlationId belong to the same uber action.
EventDataId string Unique identifier of an event.
EventSubmissionTimestamp datetime Timestamp when the event became available for querying.
Hierarchy string Management group hierarchy of the management group or subscription that event belongs to.
HTTPRequest string Blob describing the Http Request. Usually includes the “clientRequestId”, “clientIpAddress” and “method” (HTTP method. For example, PUT).
Level string Level of the event. One of the following values: Critical, Error, Warning, Informational and Verbose.
OperationId string GUID of the operation
OperationName string
OperationNameValue string Identifier of the operation e.g. Microsoft.Storage/storageAccounts/listAccountSas/action.
Properties string Set of <Key Value> pairs (i.e. Dictionary) describing the details of the event. Stored as string. Usage of Properties_d is recommended instead.
Properties_d dynamic Set of <Key Value> pairs (i.e. Dictionary) describing the details of the event. Stored as dynamic column.
Resource string
ResourceGroup string Resource group name of the impacted resource.
_ResourceId string A unique identifier for the resource that the record is associated with
ResourceId string
ResourceProvider string
ResourceProviderValue string Id of the resource provider for the impacted resource - e.g. Microsoft.Storage.
SourceSystem string Azure is used always for AzureActivity
SubscriptionId string Subscription ID of the impacted resource.
_SubscriptionId string A unique identifier for the subscription that the record is associated with
TenantId string ID of the worksapce that stores this record
TimeGenerated datetime Timestamp when the event was generated by the Azure service processing the request corresponding the event.
Type string The name of the table