Queries for the AFSAuditLogs table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Aggregate operations query

List all the UnsuspendAmlFilesystem requests for a givein time duration.

AFSAuditLogs
// The OperationName below can be replaced by obtain other operations such as "RebootAmlFilesystemNode" or "AmlFSRefreshHSMToken".
| where OperationName has "UnsuspendAmlFilesystem"
| project TimeGenerated, _ResourceId, ActivityId, ResultSignature, ResultDescription, Location
| sort by TimeGenerated asc
| limit 100

Unauthorized requests query

Count of failed AMLFilesystems requests due to unathorized access.

AFSAuditLogs
// 401 below could be replaced by other result signatures to obtain different operation results.
// For example, 'ResultSignature == 202' to obtain accepted requests.
| where ResultSignature == 401
| summarize count() by _ResourceId, OperationName