AzureActivity
Entries from the Azure Activity log that provides insight into any subscription-level or management group level events that have occurred in Azure.
Categories
- Azure Resources
- Audit
- Security
Solutions
- LogManagement
Resource types
- Azure AD Domain Services
- Microsoft App Configuration
- Application Gateways
- App Services
- Azure Autonomous Development Platform workspace
- Azure Attestation
- Azure Cache for Redis
- CDN Profiles
- Azure CloudHsm
- Communication Services
- Azure Cosmos DB
- Project CI Workspace
- Azure Digital Twins
- Event Grid Topics
- Event Hubs
- Firewalls
- Azure Managed Workspace for Grafana
- Key Vaults
- Kubernetes Services
- Azure Load Testing
- Azure Managed Instance for Apache Cassandra
- Nexus BareMetal Machines
- Nexus Clusters
- Nexus Storage Appliances
- Microsoft.Purview/accounts
- Recovery Services Vaults
- Relay
- Service Bus
- Azure Traffic Collector
- Azure Virtual Network Manager
- Bot Services
- Chaos Experiment
- Microsoft Connected Cache
- Microsoft Connected Vehicle Platform
- Network Watcher - Connection Monitor
- Container Apps
- Dynamics 365 Customer Insights
- Azure Database for MySQL Flexible Servers
- Azure Database for PostgreSQL Flexible Servers
- Dev Centers
- Experiment Workspace
- HDInsight Clusters
- Nexus Network Fabric - Network Devices
- Virtual machines
- Machine Learning
- Machine Learning
- Media Services
- Microsoft Playwright Testing
- Microsoft Graph Logs
- Azure Managed Lustre
- Azure Storage Mover
- Synapse Workspaces
- Desktop Virtualization Host Pools
- Default schema for a resource
- Azure Subscription
- Azure Resource Group
- SignalR Service WebPubSub
- Application Insights
- Desktop Virtualization Application Groups
- Desktop Virtualization workspaces
- Time Series Insights Environments
- Workload Monitor
- Analysis Services
- Batch Accounts
- Azure Spring Apps
- Cognitive Services
- Storage Accounts
- SignalR
- Container Registries
- Azure Data Explorer Clusters
- Azure Blockchain Service
- Event Grid Domains
- Event Grid Partner Namespaces
- Event Grid Partner Topics
- Event Grid System Topics
- VMware
- Azure Stack HCI
- System Center Virtual Machine Manager
- Virtual Machine Scale Sets
- Azure Arc Enabled Kubernetes
- Azure Arc Provisioned Clusters
- Azure Databricks Services
- Azure Monitor autoscale settings
- IoT Hub
- Service Fabric Clusters
- Logic Apps
- API Management services
- Automation account
- Data factories
- Data Lake Storage Gen1
- Data Lake Analytics
- Power BI Embedded
- Data Share
- SQL Managed Instances
- SQL Servers
- SQL Databases
- Azure Database for MySQL Servers
- Azure Database for PostgreSQL Servers
- Azure Database for PostgreSQL Servers V2
- Azure Database for MariaDB Servers
- Device Provisioning Services
- ExpressRoute Circuits
- Front Doors
- Load Balancers
- Network Interfaces
- Network Security Groups
- Public IP Addresses
- Traffic Manager Profiles
- Virtual Network Gateways
- Virtual Private Network Gateways
- Virtual Networks
- Search Services
- Stream Analytics jobs
- Bastions
- Azure API for FHIR
Columns
| Column | Type | Description |
|---|---|---|
| ActivityStatus | string | |
| ActivityStatusValue | string | Status of the operation in display-friendly format. Common values include Started, In Progress, Succeeded, Failed, Active, Resolved. |
| ActivitySubstatus | string | |
| ActivitySubstatusValue | string | Substatus of the operation in display-friendly format. E.g. OK (HTTP Status Code: 200). |
| Authorization | string | Blob of RBAC properties of the event. Usually includes the “action”, “role” and “scope” properties. Stored as string. The use of Authorization_d should be preferred going forward. |
| Authorization_d | dynamic | Blob of RBAC properties of the event. Usually includes the “action”, “role” and “scope” properties. Stored as dynamic column. |
| _BilledSize | real | The record size in bytes |
| Caller | string | GUID of the caller. |
| CallerIpAddress | string | IP address of the user who has performed the operation UPN claim or SPN claim based on availability. |
| Category | string | |
| CategoryValue | string | Category of the activity log e.g. Administrative, Policy, Security. |
| Claims | string | The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager. The use of claims_d should be preferred going forward. |
| Claims_d | dynamic | The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager. |
| CorrelationId | string | Usually a GUID in the string format. Events that share a correlationId belong to the same uber action. |
| EventDataId | string | Unique identifier of an event. |
| EventSubmissionTimestamp | datetime | Timestamp when the event became available for querying. |
| Hierarchy | string | Management group hierarchy of the management group or subscription that event belongs to. |
| HTTPRequest | string | Blob describing the Http Request. Usually includes the “clientRequestId”, “clientIpAddress” and “method” (HTTP method. For example, PUT). |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| Level | string | Level of the event. One of the following values: Critical, Error, Warning, Informational and Verbose. |
| OperationId | string | GUID of the operation |
| OperationName | string | |
| OperationNameValue | string | Identifier of the operation e.g. Microsoft.Storage/storageAccounts/listAccountSas/action. |
| Properties | string | Set of <Key Value> pairs (i.e. Dictionary) describing the details of the event. Stored as string. Usage of Properties_d is recommended instead. |
| Properties_d | dynamic | Set of <Key Value> pairs (i.e. Dictionary) describing the details of the event. Stored as dynamic column. |
| Resource | string | |
| ResourceGroup | string | Resource group name of the impacted resource. |
| ResourceId | string | |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| ResourceProvider | string | |
| ResourceProviderValue | string | Id of the resource provider for the impacted resource - e.g. Microsoft.Storage. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| SubscriptionId | string | Subscription ID of the impacted resource. |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Timestamp when the event was generated by the Azure service processing the request corresponding the event. |
| Type | string | The name of the table |